Releasing Icinga 2.11.8 + 2.12.3: Security and small improvements

by | Dec 15, 2020

Today we are releasing the 2.11.8 and 2.12.3 security & bugfix releases. Both versions contain the same changes.

They resolve a security vulnerability with revoked certificates being renewed automatically ignoring the CRL, issues with high load on Windows regarding the config sync and an issue where users weren’t able to disable/enable Icinga 2 features over the API.

Security

  • Fix that revoked certificates due for renewal will automatically be renewed ignoring the CRL (Advisory / CVE-2020-29663)

When a CRL is specified in the ApiListener configuration, Icinga 2 only used it when connections were established so far, but not when a certificate is requested. This allows a node to automatically renew a revoked certificate if it meets the other conditions for auto renewal (issued before 2017 or expires in less than 30 days).

Because Icinga 2 currently (v2.12.3 and earlier) uses a validity duration of 15 years, this only affects setups with external certificate signing and revoked certificates that expire in less then 30 days.

 

Bugfixes

  • Improve config sync locking – resolves high load issues on Windows (#8510 / #8511)
  • Fix runtime config updates being ignored for objects without zone (#8550 / #8549)
  • Use proper buffer size for OpenSSL error messages (#8543 / #8542)

Enhancements

  • On checkable recovery: re-check children that have a problem (#8560 / #8506)

 

You May Also Like…

Releasing Icinga DB v1.2.1

Releasing Icinga DB v1.2.1

Today we are releasing a new version of Icinga DB, version 1.2.1, a maintenance release that addresses HA issues and...

Releasing Icinga Director v1.11.3

Releasing Icinga Director v1.11.3

We are happy to announce the release of Icinga Director version 1.11.3. This release addresses few important bug fixes...

Subscribe to our Newsletter

A monthly digest of the latest Icinga news, releases, articles and community topics.