icingaweb2 - Debian Package Tracker

general

source: icingaweb2 (main)
version: 2.13.0-1
maintainer: Debian Nagios Maintainer Group (archive) (DMD)
uploaders: Markus Frosch [DMD] – Bas Couwenberg [DMD]
arch: all
std-ver: 4.7.3
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2.8.2-2
oldstable: 2.11.4-2+deb12u1
stable: 2.12.4-2
testing: 2.13.0-1
unstable: 2.13.0-1

versioned links

2.8.2-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.11.4-2+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.12.4-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.13.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

icingacli
icingaweb2
icingaweb2-common
icingaweb2-module-doc
icingaweb2-module-monitoring
php-icinga

action needed

1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:

CVE-2022-50942: Incinga Web 2.8.2 contains a client-side cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through the icinga.min.js file. Attackers can exploit the EventListener.handleEvent method to execute arbitrary scripts, potentially leading to session hijacking and non-persistent phishing attacks.

Created: 2026-02-01 Last update: 2026-04-28 19:02

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2022-50942: Incinga Web 2.8.2 contains a client-side cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through the icinga.min.js file. Attackers can exploit the EventListener.handleEvent method to execute arbitrary scripts, potentially leading to session hijacking and non-persistent phishing attacks.

Created: 2026-02-01 Last update: 2026-04-28 19:02

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2022-50942: Incinga Web 2.8.2 contains a client-side cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through the icinga.min.js file. Attackers can exploit the EventListener.handleEvent method to execute arbitrary scripts, potentially leading to session hijacking and non-persistent phishing attacks.

Created: 2026-02-01 Last update: 2026-04-28 19:02

9 security issues in bullseye high

There are 9 open security issues in bullseye.

1 important issue:

CVE-2022-50942: Incinga Web 2.8.2 contains a client-side cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through the icinga.min.js file. Attackers can exploit the EventListener.handleEvent method to execute arbitrary scripts, potentially leading to session hijacking and non-persistent phishing attacks.

8 issues postponed or untriaged:

CVE-2021-32746: (needs triaging) Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Between versions 2.3.0 and 2.8.2, the `doc` module of Icinga Web 2 allows to view documentation directly in the UI. It must be enabled manually by an administrator and users need explicit access permission to use it. Then, by visiting a certain route, it is possible to gain access to arbitrary files readable by the web-server user. The issue has been fixed in the 2.9.0, 2.8.3, and 2.7.5 releases. As a workaround, an administrator may disable the `doc` module or revoke permission to use it from all users.
CVE-2021-32747: (needs triaging) Icinga Web 2 is an open source monitoring web interface, framework, and command-line interface. A vulnerability in which custom variables are exposed to unauthorized users exists between versions 2.0.0 and 2.8.2. Custom variables are user-defined keys and values on configuration objects in Icinga 2. These are commonly used to reference secrets in other configurations such as check commands to be able to authenticate with a service being checked. Icinga Web 2 displays these custom variables to logged in users with access to said hosts or services. In order to protect the secrets from being visible to anyone, it's possible to setup protection rules and blacklists in a user's role. Protection rules result in `***` being shown instead of the original value, the key will remain. Backlists will hide a custom variable entirely from the user. Besides using the UI, custom variables can also be accessed differently by using an undocumented URL parameter. By adding a parameter to the affected routes, Icinga Web 2 will show these columns additionally in the respective list. This parameter is also respected when exporting to JSON or CSV. Protection rules and blacklists however have no effect in this case. Custom variables are shown as-is in the result. The issue has been fixed in the 2.9.0, 2.8.3, and 2.7.5 releases. As a workaround, one may set up a restriction to hide hosts and services with the custom variable in question.
CVE-2022-24714: (needs triaging) Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Installations of Icinga 2 with the IDO writer enabled are affected. If you use service custom variables in role restrictions, and you regularly decommission service objects, users with said roles may still have access to a collection of content. Note that this only applies if a role has implicitly permitted access to hosts, due to permitted access to at least one of their services. If access to a host is permitted by other means, no sensible information has been disclosed to unauthorized users. This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2.
CVE-2022-24715: (needs triaging) Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Authenticated users, with access to the configuration, can create SSH resource files in unintended directories, leading to the execution of arbitrary code. This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2. Users unable to upgrade should limit access to the Icinga Web 2 configuration.
CVE-2025-27404: (postponed; to be fixed through a stable update) Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings.
CVE-2025-27405: (postponed; to be fixed through a stable update) Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings.
CVE-2025-27609: (postponed; to be fixed through a stable update) Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a request that, once transmitted to a victim's Icinga Web, allows to embed arbitrary Javascript into it and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings. Any modern browser with a working CORS implementation also sufficiently guards against the vulnerability.
CVE-2025-30164: (postponed; to be fixed through a stable update) Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 vulnerability allows an attacker to craft a URL that, once visited by an authenticated user (or one that is able to authenticate), allows to manipulate the backend to redirect the user to any location. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. No known workarounds are available.

Created: 2026-02-01 Last update: 2026-04-28 19:02

5 security issues in bookworm high

There are 5 open security issues in bookworm.

5 important issues:

CVE-2022-50942: Incinga Web 2.8.2 contains a client-side cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through the icinga.min.js file. Attackers can exploit the EventListener.handleEvent method to execute arbitrary scripts, potentially leading to session hijacking and non-persistent phishing attacks.
CVE-2025-27404: Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings.
CVE-2025-27405: Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings.
CVE-2025-27609: Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a request that, once transmitted to a victim's Icinga Web, allows to embed arbitrary Javascript into it and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings. Any modern browser with a working CORS implementation also sufficiently guards against the vulnerability.
CVE-2025-30164: Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 vulnerability allows an attacker to craft a URL that, once visited by an authenticated user (or one that is able to authenticate), allows to manipulate the backend to redirect the user to any location. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. No known workarounds are available.

Created: 2025-03-27 Last update: 2026-04-28 19:02

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 2.13.0-2, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit d816c73d3947327b4b336e41bde208a3a065cf69
Author: Bas Couwenberg <sebastic@xs4all.nl>
Date:   Sat May 16 19:04:15 2026 +0200

    Update lintian overrides.

commit 2159599da124971d9e173f49b328742df5948ca7
Author: Bas Couwenberg <sebastic@xs4all.nl>
Date:   Sat May 16 19:01:15 2026 +0200

    Update changelog.

commit 9badaef196bd6fabd4fc3abb4b3805a667468101
Author: Bas Couwenberg <sebastic@xs4all.nl>
Date:   Sat May 16 19:00:42 2026 +0200

    Align values.

commit 3d11cb55d08aca213b0dc4f552b71121158a13de
Author: Luca Boccassi <luca.boccassi@gmail.com>
Date:   Fri May 15 22:19:18 2026 +0100

    Install and use sysusers.d/tmpfiles.d config files
    
    sysusers.d/tmpfiles.d config files allow a package to use declarative
    configuration instead of manually written maintainer scripts. This also
    allows image-based systems to be created with /usr/ only, and also
    allows for factory resetting a system and recreating /etc/ on boot.
    
    https://www.freedesktop.org/software/systemd/man/latest/sysusers.d.html
    https://www.freedesktop.org/software/systemd/man/latest/tmpfiles.d.html

commit d92b59b9e788a9a161b7b325ebcdf65e5c3b7ba5
Author: Bas Couwenberg <sebastic@xs4all.nl>
Date:   Sat Apr 4 10:27:49 2026 +0200

    Bump Standards-Version to 4.7.4, no changes.

commit 49bb06c4e09c147532cb87ee890ab25f2b4c1ecc
Author: Bas Couwenberg <sebastic@xs4all.nl>
Date:   Sun Mar 29 16:22:27 2026 +0200

    Enable build profile CI job.

commit 31b6afd5485fd1142c399e229654d8e82069f4cb
Author: Bas Couwenberg <sebastic@xs4all.nl>
Date:   Sat Mar 28 17:34:37 2026 +0100

    Update NEWS to reflect transitional package removal.

commit e898789dc6b572a988d9dff0c630b8a06c81dddd
Author: Bas Couwenberg <sebastic@xs4all.nl>
Date:   Sat Mar 28 17:28:12 2026 +0100

    Drop icingaweb2-module-monitoring transitional package, icingadb-web gets installed via icingaweb2 Recommends.

commit 15c1a3f68501415e8643f161c920e0a18a70c618
Author: Bas Couwenberg <sebastic@xs4all.nl>
Date:   Sat Mar 28 13:55:07 2026 +0100

    Mention disabling the monitoring module in NEWS.

Created: 2026-01-03 Last update: 2026-05-16 18:19

lintian reports 1 warning normal

Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2026-05-16 Last update: 2026-05-16 16:31

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.3).

Created: 2026-03-31 Last update: 2026-03-31 15:01

news

[rss feed]

[2026-04-02] icingaweb2 2.13.0-1 MIGRATED to testing (Debian testing watch)
[2026-03-28] Accepted icingaweb2 2.13.0-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2025-11-25] icingaweb2 2.12.6-1 MIGRATED to testing (Debian testing watch)
[2025-11-19] Accepted icingaweb2 2.12.6-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2025-08-16] icingaweb2 2.12.5-1 MIGRATED to testing (Debian testing watch)
[2025-08-10] Accepted icingaweb2 2.12.5-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2025-07-16] Accepted icingaweb2 2.12.5-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2025-05-20] icingaweb2 2.12.4-2 MIGRATED to testing (Debian testing watch)
[2025-05-14] Accepted icingaweb2 2.12.4-2 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2025-03-31] icingaweb2 2.12.4-1 MIGRATED to testing (Debian testing watch)
[2025-03-26] Accepted icingaweb2 2.12.4-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2024-11-19] icingaweb2 2.12.2-1 MIGRATED to testing (Debian testing watch)
[2024-11-13] Accepted icingaweb2 2.12.2-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2023-11-21] icingaweb2 2.12.1-1 MIGRATED to testing (Debian testing watch)
[2023-11-16] Accepted icingaweb2 2.12.1-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2023-10-06] icingaweb2 2.12.0-1 MIGRATED to testing (Debian testing watch)
[2023-09-29] Accepted icingaweb2 2.12.0-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2023-09-22] Accepted icingaweb2 2.12.0-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2023-08-26] Accepted icingaweb2 2.11.4-2+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Sebastiaan Couwenberg)
[2023-08-15] icingaweb2 2.11.4-3 MIGRATED to testing (Debian testing watch)
[2023-08-09] Accepted icingaweb2 2.11.4-3 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2023-02-02] icingaweb2 2.11.4-2 MIGRATED to testing (Debian testing watch)
[2023-01-28] Accepted icingaweb2 2.11.4-2 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2023-01-26] Accepted icingaweb2 2.11.4-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2022-12-20] icingaweb2 2.11.3-1 MIGRATED to testing (Debian testing watch)
[2022-12-14] Accepted icingaweb2 2.11.3-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2022-12-10] icingaweb2 2.11.2-2 MIGRATED to testing (Debian testing watch)
[2022-12-05] Accepted icingaweb2 2.11.2-2 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2022-11-10] icingaweb2 2.11.2-1 MIGRATED to testing (Debian testing watch)
[2022-11-05] Accepted icingaweb2 2.11.2-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)

bugs [bug history graph]

all: 0

links

homepage
lintian (0, 1)
buildd: logs, reproducibility
popcon
browse source code
other distros
security tracker

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.12.6-1
6 bugs