Icinga Security Releases – 1.10.2, 1.9.4, 1.8.5

icingacoreFollowing up on our recent Icinga 1.10.2 bug fix release, we have backported patches to older versions and now present 1.8.5 and 1.9.4 for download.
These two new bug fix releases are important for users who allow public access to their Classic UI. In particular they deal with susceptibilities to:

  • (CVE-2013-7106) Buffer overflow errors, as fixed in #5250
  • (CVE-2013-7108) Off-by-one errors, as fixed in #5251

Please note: CVE-2013-7107 was identified and is being addressed with issue #5346. A fix will be integrated into Icinga 1.11. In the meantime, we recommend users with vulnerabilities to manage their user rights accordingly in the Classic UI.
Once again we thank the DTAG Group Information Security for their advice.
For a quick upgrade, keep an eye on our auto-built packages. As always, we welcome your feedback on our development tracker and support channels.

Icinga 1.10.2 Bug Fix Release

icingacoreIcinga 1.10.2 is out for download and is our prompt response to potential security issues. In particular, this release is recommended for users who allow public access to their Classic UI.
Aside from this, Icinga 1.10.2 irons out Oracle compiling and upgrading in IDOUtils and adds a few minor config related fixes to the Core. See our change log for more details.
Thanks to all users who have contributed their patches and bug reports, and special kudos goes to DTAG Group Information Security for alerting us to the security threats. Our development tracker is always open and we look forward to receiving your continued feedback.

CHANGE LOG

CORE

  • Add an Icinga syntax plugin for Vim #4150 – LE/MF
  • Document dropped options log_external_commands_user and event_profiling_enabled #4957 – BA
  • Type in spec file on ido2db startup #5000 – MF
  • Build fails: xdata/xodtemplate.c requires stdint.h #5021 – SH

CLASSIC UI

  • Fix status output in JSON format not including short and long plugin output properly #5217 – RB
  • Fix possible buffer overflows #5250 – RB
  • Fix Off-by-one memory access in process_cgivars() #5251 – RB

IDOUTILS

  • IDOUtils Oracle compile error #5059 – TD
  • Oracle update script 1.10.0 failes while trying to drop nonexisting index #5256 – RB