Icinga 1.13.0 released

logo_icingaWhile you may have seen a lot of updates in our 2.x development head, Icinga 1.x is still alive and being patched and bug-fixed. Some smaller features have also been incorporated into 1.13.0 so consider upgrading your existing installation.
 

Changelog Core, IDOUtils, Classic UI

CHANGES

  • Remove deprecated event_profiling_enabled from icinga.cfg
  • Remove deprecated broker_module from icinga.cfg (use module object configuration instead)
  • Add module config examples in modules/ directory (livestatus, mod_gearman, pnp4nagios, flapjack)
  • Move contrib/downtimes to tools/downtimes and add ‘make install-downtimes’

FEATURES

  • Feature #1867: Recurring Downtimes
  • Feature #6353: deprecate icinga.cfg:broker_module; add more module examples
  • Feature #8007: Implement an option to disable transactions
  • Feature #8139: Add functions for registering file descriptors closed on fork()
  • Feature #8140: Add Check Result List Mutex for NEB modules
  • Feature #8426: Remove constraint from *dependencies tables
  • Feature #8440: Enhance idomod logging

FIXES

  • Bug #6263: Race condition in init.d scripts’ stop
  • Bug #6762: Icinga crashes when “args” attribute is not specified for modules
  • Bug #7004: GET form param has no effect on cmd.cgi acks (again)
  • Bug #8202: Cool tip text for refresh of hosts and services says “I’m so lonely up here. Where should I go?”
  • Bug #8441: require the ‘config_file’ argument in idomod modules configuration
  • Bug #8445: cmd.cgi use_ack_end_time param does not enable tickbox in form

Download icinga-1.13.0 here.

Changelog Web

Security

  • Ewoud Kohl van Wijngaarden found a way for an SQL injection in Icinga Web’s API. An authenticated user could inject SQL code via a crafted JSON filter (#7924, CVE-2015-2685)

We recommend to update your installation to 1.13.0 as the features are minimal invasive.
Notable changes and features

  • The log now contains the ip address of a user login failed, or the user just logged in and out (#7357)
  • We implemented a command log that contains any command that is send to the Icinga core by an user – written to a separate log file command-20XX-XX-XX.log (#7893)
  • (Bug) Acknowledgments where sent without a proper sticky declaration. This problem has been fixed and host or service acknowledgments are now sticky by default – what it should and was intended to be. (#5838 #7003) Please review our documentation if you are not sure what sticky means.
  • Grids can now display customvariables. Because customvariables are customised on every installation, this feature is disabled by default. See  doc/grids_and_customvars.md for further information.

Other bugs

  • When using Kerberos authentication in a web server a user could receive all credentials when he had a role that had no credentials set (#7892) In our tests that only happens with Kerberos users.
  • When a user could not be imported during login the database exception was not generated correctly (#8301)
  • Don’t contact more authentication providers than necessary during login. Thanks to Victor Hahn (#8341)
  • Fixed the irritating error during application state reset (#8523) The state was always cleared, but an error popped up for the user.

Download icinga-web-1.13.0 here.

Debian Testing introduces Apache 2.4 – Changes for Icinga Classic UI & Web

Since my workstation at home runs Debian Testing, today’s dist-upgrade unveiled the “monster” I was waiting for – Apache 2.4 was migrated to Debian Testing and so the default configuration paths did change (not to say “broken with 404”). Both Icinga Classic UI and Web Apache configuration were not found anymore – because /etc/apache2/conf.d isn’t included anymore by default in /etc/apache2/apache2.conf which happened during package upgrade. Sadly there was no Changelog warning popping up, so it did bite me very well.
The default location is now /etc/apache2/conf-available and it follows the method of sites-available – you are required to enable specific configuration too. The following examples show you how to achieve that natively with current source installations of Icinga Classic UI and Web:
Icinga Classic UI

# ./configure --with-httpd-conf=/etc/apache2/conf-available
# make install-webconf
# a2enconf icinga
# service apache2 reload

Icinga Web

# ./configure --with-web-apache-path=/etc/apache2/conf-available
# make install-apache-config
# a2enconf icinga-web
# service apache2 reload

If you want to migrate an existing installation, you can just move the config files from within /etc/apache2/conf.d to /etc/apache2/conf-available and enable them afterwards. The example assumes that both Icinga Classic UI and Web are installed.

# mv /etc/apache2/conf.d/icinga*.conf /etc/apache2/conf-available
# a2enconf icinga icinga-web
# service apache2 reload

Both installations will detect the default locations properly in future releases (#4508 and #4509), the fixes are already in git ‘next’ for 1.10.
Oh, and if you are using Debian packagesAlex and Markus already had a fight with Apache 2.4 making icinga-cgi and icinga-web work in current Debian Testing tree. Still, you may wanna move/migrate your existing configuration manually 🙂

CVE-2013-2214 not valid for Icinga Classic UI

You may have seen CVE-2013-2214 allowing non-authorized users to view certain details in servicegroups. Ricardo verified the CVE details against Icinga Classic UI, and enlightened me that this behaviour was fixed long time ago. Icinga Classic UI first fetches all the data, applies filters and authorization checks against it, and then displays that data set not allowing any flaws here.
So you can fully ignore the CVE, it only applies to Nagios even if stated otherwise somewhere.