Releases: Icinga/icinga2
Icinga 2 v2.14.3
This security release fixes a TLS certificate validation bypass.
Given the severity of that issue, users are advised to upgrade all nodes immediately.
- Security: fix TLS certificate validation bypass. CVE-2024-49369
- Security: update OpenSSL shipped on Windows to v3.0.15.
- Windows: sign MSI packages with a certificate the OS trusts by default.
Icinga 2 v2.13.10
This security release fixes a TLS certificate validation bypass.
Given the severity of that issue, users are advised to upgrade all nodes immediately.
- Security: fix TLS certificate validation bypass. CVE-2024-49369
- Security: update OpenSSL shipped on Windows to v3.0.15.
- Windows: sign MSI packages with a certificate the OS trusts by default.
Icinga 2 v2.12.11
This security release fixes a TLS certificate validation bypass.
Given the severity of that issue, users are advised to upgrade all nodes immediately.
- Security: fix TLS certificate validation bypass. CVE-2024-49369
- Security: update OpenSSL shipped on Windows to v3.0.15.
- Windows: sign MSI packages with a certificate the OS trusts by default.
Icinga 2 v2.11.12
This security release fixes a TLS certificate validation bypass. Given the severity of that issue, users are advised to upgrade all nodes immediately.
- Security: fix TLS certificate validation bypass. CVE-2024-49369
- Security: update OpenSSL shipped on Windows to v3.0.15.
- Windows: sign MSI packages with a certificate the OS trusts by default.
Icinga 2 v2.14.2
Version 2.14.2 is a hotfix release for master nodes that mainly fixes excessive disk usage caused by the InfluxDB writers.
Icinga 2 v2.14.1
Version 2.14.1 is a hotfix release for masters and satellites that mainly
prevents permanent disintegration of a whole cluster due to root CA expiry.
Security
- Automatically renew own root CA and distribute it to all nodes. #9933
- Update OpenSSL shipped on Windows to v3.0.12. #9946
- Disable TLS renegotiation (handshake on existing connection). #9946
Bugfixes
- Icinga DB feature: fix crash due to missing NULL pointer check. #9946
- Icinga DB feature: fix data written into Redis crashing the Go daemon. #9946
- GelfWriter: fix deadlock on stop/reload caused by busy queue. #9947
- Don't lose notifications due to too long output, truncate it. #9947
Enhancements
- Discard duplicate problem notifications due to state filtering. #9932
- Speed up API filters targeting specific hosts/services to O(1). #9944
- POST /v1/console/*: return HTTP 503 while Icinga is reloading. #9947
- Update Boost shipped on Windows to v1.83. #9946
- Documentation: several fixes and improvements. #9921
Icinga 2 v2.13.9
Version 2.13.9 is a hotfix release for masters and satellites that mainly
prevents permanent disintegration of a whole cluster due to root CA expiry.
Security
- Automatically renew own root CA and distribute it to all nodes. #9934
- Update OpenSSL shipped on Windows to v3.0.12. #9945
- Disable TLS renegotiation (handshake on existing connection). #9945
Bugfixes
- Icinga DB feature: fix crash due to missing NULL pointer check. #9945
- Icinga DB feature: fix data written into Redis crashing the Go daemon. #9945
Updates
- Update Boost shipped on Windows to v1.83. #9945
Icinga 2 v2.14.0
Notes
Upgrading docs: https://icinga.com/docs/icinga2/snapshot/doc/16-upgrading-icinga-2/#upgrading-to-2-14
Thanks to all contributors: atj, atwebm, cspeterson, cycloon, DamianoChini, efuss, fabieins, haxtibal, jaapmarcus, log1-c, lrupp, maggu, mcodato, Napsty, orbison, peteeckel, slalomsk8er, stevie-sy, Tqnsls
Breaking Changes
- Remove CheckResultReader (which has been deprecated since v2.9). #9714
- Remove StatusDataWriter (which has been deprecated since v2.9). #9715
- ElasticsearchWriter: drop support for Elasticsearch < v7. #9812
- Consider a checkable unreachable once one Dependency fails.
Previously all of them had to fail. (Consult the upgrading docs.) #8218 - API: reject config modifications during reload with HTTP status 503. #9445
icinga2 daemon
: to reduce config load time, write file needed by
icinga2 object list
only if--dump-objects
is given. #9586 #9591- Default email notification scripts: link to Icinga DB Web,
not the monitoring module. (Consult the upgrading docs.) #9742 #9757 - API: for security reasons hide TicketSalt in /v1/variables. #7863
Icinga 2 Config DSL
- Disallow global variable modification after config commit start (i.e.
insideobject/apply T "x" { ... }
) to reduce config load time. #9740 - Forbid Dependency cycles at config load time. #8389
- Allow only strings in the arrays Host#groups, Service#groups and
User#groups. Needed for consistency, especially by the IDO. #9057 - Disallow empty object names. (They worked only partially anyway.) #9409
Windows Agent only
The official MSIs don't include the following features anymore.
They weren't intended, tested or needed on Windows and only waste build time,
bandwidth and disk space. Both new installations and upgrades are affected.
- ElasticsearchWriter #9704
- GelfWriter #9704
- GraphiteWriter #9704
- InfluxdbWriter and Influxdb2Writer #9704
- OpenTsdbWriter #9704
- PerfdataWriter #9704
We also don't ship the following files anymore.
(You can still obtain them manually.)
On the other hand MSIs are now 75% smaller than before.
Enhancements
- Significantly reduce config load time of large setups.
#8118 #9555 #9557 #9572 #9577 #9603 #9608 #9627 #9648 #9657 #9662 - Allow to connect dependencies via redundancy groups. Only parents within
one group are assumed to provide redundancy for each other. #8218 - Built-in check command ifw-api, communicates directly with the Icinga for
Windows REST API. (Doesn't spawn a PowerShell process for that.) #9062 - JournaldLogger which logs to systemd journal. #9000
- API: POST /v1/objects: allow to discard some previously modified attributes,
i.e. to restore the config files' values. #9783 - ElasticsearchWriter: support Elasticsearch v8. #9812
- Support
$env.ENV_VAR_NAME$
macros. #8302 - Speed up Icinga DB config dump. #9524
- Default mail notification scripts: also print
$host.notes$
and$service.notes$
. #9713 - Enable built-in OpenSSL DH parameters to allow DHE TLS ciphers. #9811
- Clean up global default TLS cipher list to improve security. #9809
- Influxdb(2)Writer: write more precise timestamps (nanoseconds). #9599
Bugfixes
- Icinga DB feature: normalize several Redis data not to crash the Go daemon.
#9772 #9775 #9792 #9793 #9794 #9805 - Fix parsing of perfdata across multiple lines in plugin output. #8969
- icinga check: fix last reload failure time. #8429 #9827
- Resolve macros inside custom vars of IcingaApplication. #9779
- SELinux: allow Icinga and its plugins to write to syslog. #9688
- ElasticsearchWriter: fix data buffer flush race condition during stop. #9810
- Trigger flexible downtimes not in the past if checkable is already down. #9726
- Send downtime expiration notifications immediately, not after up to a minute. #9726
Cluster
- Don't hang in timed out connection attempt. #9711 #9725
- Fix lost acknowledgements after re-connect. #9718
- cluster-zone check: don't complain about not connected
other local zone members if there aren't any. #8595 - Allow agent to update executions delegated to it via /v1/actions/execute-command. #8627
API
- Disallow breaking inter-object relationships by changing
relationship attributes at runtime, e.g.Service#host_name
. #9407 - Correct several HTTP response status codes. #7958 #9354
- Correct Boolean field types previously reported by /v1/types as Number. #9514
CLI
icinga2 daemon
: fix -DConfiguration.Concurrency= flag
which now allows to override the number of threads. #9643icinga2 node wizard
: avoid unnecessary chown(2) which may fail and abort the wizard. #8744- Correct several log messages. #8895 #8965 #9663
ITL
Add linux_netdev
check command. #9045
Command Argument Changes
disk
: don't pass -m (disk_megabytes
) by default. #9642disk
: pass -X fuse.portal (disk_exclude_type
) by default. #9459http
: support multiple -k (http_header
) as array. #8574icmp
: double defaults for -w (icmp_wpl
) and -c (icmp_cpl
). #9041logfiles
: pass --winwarncrit (logfiles_winwarncrit
) without argument. #9056nwc_health
: pass SNMPv3-only args only when using SNMPv3. #9095vmware-esx-dc-runtime-tools
andvmware-esx-soap-vm-runtime-tools
:
rename--open-vm-tools
to--open_vm_tools_ok
(vmware_openvmtools
). #9611
New Command Arguments
Command | Argument | Custom Variable | PR |
---|---|---|---|
disk |
-P |
disk_inode_perfdata |
#9494 |
esxi_hardware |
--format |
esxi_hardware_format |
#9435 |
esxi_hardware |
--pretty |
esxi_hardware_pretty |
#9435 |
http |
--verify-host |
http_verify_host |
#8005 |
icingacli-businessprocess |
--ack-is-ok |
icingacli_businessprocess_ackisok |
#9103 |
icingacli-businessprocess |
--blame |
icingacli_businessprocess_blame |
#9103 |
icingacli-businessprocess |
--colors |
icingacli_businessprocess_colors |
#9103 |
icingacli-businessprocess |
--downtime-is-ok |
icingacli_businessprocess_downtimeisok |
#9103 |
icingacli-businessprocess |
--root-cause |
icingacli_businessprocess_rootcause |
#9103 |
mem |
-a |
mem_available |
#9385 |
mongodb |
--disable_retry_writes |
mongodb_disableretrywrites |
#9539 |
mongodb |
--ssl-ca-cert-file |
mongodb_ssl_ca_cert_file |
#9610 |
mysql |
--extra-opts |
mysql_extra_opts |
#9197 |
nrpe |
-3 |
nrpe_version_3 |
#9296 |
nrpe |
-D |
nrpe_no_logging |
#9016 |
nrpe |
-P |
nrpe_payload_size |
#9032 |
pgsql |
--extra-opts |
pgsql_extra_opts |
#9197 |
postgres |
$PGCONTROLDATA (env. var.) |
`postgres_pgcontroldata... |
Icinga 2 v2.13.8
Version 2.13.8 is a maintenance release that fixes some bugs,
especially Icinga DB crashes, and updates several bundled libraries.
Bugfixes
- Icinga DB feature: normalize several Redis data not to crash the Go daemon. #9814
- Don't hang in timed out connection attempt. #9815
- Trigger flexible downtimes not in the past if checkable is already down. #9817
- ElasticsearchWriter: fix data buffer flush race condition during stop. #9818
- SELinux: allow Icinga and its plugins to write to syslog. #9819
- Fix lost acknowledgements after re-connect. #9820
- Fix parsing of perfdata across multiple lines in plugin output. #9821
- cluster-zone check: don't complain about not connected
other local zone members if there aren't any. #9822
Updates
- Update Boost shipped on Windows to v1.82. #9816
- Update OpenSSL shipped on Windows to v3.0.9. #9816
- Update vendored https://github.com/nlohmann/json to v3.9.1. #9816
- Update vendored https://github.com/nemtrif/utfcpp to v3.2.3. #9816
Icinga 2 v2.13.7
This security release updates Boost and OpenSSL libraries bundled on Windows
and repairs broken SELinux policies. By the way it fixes several other bugs.
Security
- Windows: update bundled OpenSSL to v1.1.1t. #9672
Bugfixes
- SELinux: fix user and domain creation by explicitly setting the role. #9690
- Signal handlers: don't interrupt and break plugins spawning. #9682
- Icinga DB: take check_period into account during overdue calculation. #9679
- Avoid corrupted files: use fsync(2)/FlushFileBuffers() everywhere. #9681
- Solaris: fix compile error. #9680