icinga2 - Debian Package Tracker

general

source: icinga2 (main)
version: 2.13.1-1
maintainer: Debian Nagios Maintainer Group (archive) (DMD)
uploaders: Alexander Wirt [DMD] – Markus Frosch [DMD] – Jan Wagner [DMD]
arch: all any
std-ver: 4.5.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2.6.0-2+deb9u1
o-o-bpo: 2.10.3-2~bpo9+1
oldstable: 2.10.3-2+deb10u1
stable: 2.12.3-1
testing: 2.13.1-1
unstable: 2.13.1-1

versioned links

2.6.0-2+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.10.3-2~bpo9+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.10.3-2+deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.12.3-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.13.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

icinga2 (3 bugs: 0, 1, 2, 0)
icinga2-bin (1 bugs: 0, 1, 0, 0)
icinga2-common (1 bugs: 0, 1, 0, 0)
icinga2-doc
icinga2-ido-mysql (2 bugs: 0, 2, 0, 0)
icinga2-ido-pgsql
vim-icinga2

action needed

9 security issues in stretch high

There are 9 open security issues in stretch.

3 important issues:

CVE-2021-32739: Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. From version 2.4.0 through version 2.12.4, a vulnerability exists that may allow privilege escalation for authenticated API users. With a read-ony user's credentials, an attacker can view most attributes of all config objects including `ticket_salt` of `ApiListener`. This salt is enough to compute a ticket for every possible common name (CN). A ticket, the master node's certificate, and a self-signed certificate are enough to successfully request the desired certificate from Icinga. That certificate may in turn be used to steal an endpoint or API user's identity. Versions 2.12.5 and 2.11.10 both contain a fix the vulnerability. As a workaround, one may either specify queryable types explicitly or filter out ApiListener objects.
CVE-2021-32743: Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. In versions prior to 2.11.10 and from version 2.12.0 through version 2.12.4, some of the Icinga 2 features that require credentials for external services expose those credentials through the API to authenticated API users with read permissions for the corresponding object types. IdoMysqlConnection and IdoPgsqlConnection (every released version) exposes the password of the user used to connect to the database. IcingaDB (added in 2.12.0) exposes the password used to connect to the Redis server. ElasticsearchWriter (added in 2.8.0)exposes the password used to connect to the Elasticsearch server. An attacker who obtains these credentials can impersonate Icinga to these services and add, modify and delete information there. If credentials with more permissions are in use, this increases the impact accordingly. Starting with the 2.11.10 and 2.12.5 releases, these passwords are no longer exposed via the API. As a workaround, API user permissions can be restricted to not allow querying of any affected objects, either by explicitly listing only the required object types for object query permissions, or by applying a filter rule.
CVE-2021-37698: Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. In versions 2.5.0 through 2.13.0, ElasticsearchWriter, GelfWriter, InfluxdbWriter and Influxdb2Writer do not verify the server's certificate despite a certificate authority being specified. Icinga 2 instances which connect to any of the mentioned time series databases (TSDBs) using TLS over a spoofable infrastructure should immediately upgrade to version 2.13.1, 2.12.6, or 2.11.11 to patch the issue. Such instances should also change the credentials (if any) used by the TSDB writer feature to authenticate against the TSDB. There are no workarounds aside from upgrading.

6 issues postponed or untriaged:

CVE-2017-16933: (needs triaging) etc/initsystem/prepare-dirs in Icinga 2.x through 2.8.1 has a chown call for a filename in a user-writable directory, which allows local users to gain privileges by leveraging access to the $ICINGA2_USER account for creation of a link.
CVE-2018-6532: (needs triaging) An issue was discovered in Icinga 2.x through 2.8.1. By sending specially crafted (authenticated and unauthenticated) requests, an attacker can exhaust a lot of memory on the server side, triggering the OOM killer.
CVE-2018-6533: (needs triaging) An issue was discovered in Icinga 2.x through 2.8.1. By editing the init.conf file, Icinga 2 can be run as root. Following this the program can be used to run arbitrary code as root. This was fixed by no longer using init.conf to determine account information for any root-executed code (a larger issue than CVE-2017-16933).
CVE-2018-6534: (needs triaging) An issue was discovered in Icinga 2.x through 2.8.1. By sending specially crafted messages, an attacker can cause a NULL pointer dereference, which can cause the product to crash.
CVE-2018-6535: (needs triaging) An issue was discovered in Icinga 2.x through 2.8.1. The lack of a constant-time password comparison function can disclose the password to an attacker.
CVE-2018-6536: (needs triaging) An issue was discovered in Icinga 2.x through 2.8.1. The daemon creates an icinga2.pid file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for icinga2.pid modification before a root script executes a "kill `cat /pathname/icinga2.pid`" command, as demonstrated by icinga2.init.d.cmake.

Created: 2021-07-15 Last update: 2021-08-25 09:00

4 security issues in buster high

There are 4 open security issues in buster.

3 important issues:

CVE-2021-32739: Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. From version 2.4.0 through version 2.12.4, a vulnerability exists that may allow privilege escalation for authenticated API users. With a read-ony user's credentials, an attacker can view most attributes of all config objects including `ticket_salt` of `ApiListener`. This salt is enough to compute a ticket for every possible common name (CN). A ticket, the master node's certificate, and a self-signed certificate are enough to successfully request the desired certificate from Icinga. That certificate may in turn be used to steal an endpoint or API user's identity. Versions 2.12.5 and 2.11.10 both contain a fix the vulnerability. As a workaround, one may either specify queryable types explicitly or filter out ApiListener objects.
CVE-2021-32743: Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. In versions prior to 2.11.10 and from version 2.12.0 through version 2.12.4, some of the Icinga 2 features that require credentials for external services expose those credentials through the API to authenticated API users with read permissions for the corresponding object types. IdoMysqlConnection and IdoPgsqlConnection (every released version) exposes the password of the user used to connect to the database. IcingaDB (added in 2.12.0) exposes the password used to connect to the Redis server. ElasticsearchWriter (added in 2.8.0)exposes the password used to connect to the Elasticsearch server. An attacker who obtains these credentials can impersonate Icinga to these services and add, modify and delete information there. If credentials with more permissions are in use, this increases the impact accordingly. Starting with the 2.11.10 and 2.12.5 releases, these passwords are no longer exposed via the API. As a workaround, API user permissions can be restricted to not allow querying of any affected objects, either by explicitly listing only the required object types for object query permissions, or by applying a filter rule.
CVE-2021-37698: Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. In versions 2.5.0 through 2.13.0, ElasticsearchWriter, GelfWriter, InfluxdbWriter and Influxdb2Writer do not verify the server's certificate despite a certificate authority being specified. Icinga 2 instances which connect to any of the mentioned time series databases (TSDBs) using TLS over a spoofable infrastructure should immediately upgrade to version 2.13.1, 2.12.6, or 2.11.11 to patch the issue. Such instances should also change the credentials (if any) used by the TSDB writer feature to authenticate against the TSDB. There are no workarounds aside from upgrading.

1 issue left for the package maintainer to handle:

CVE-2020-29663: (needs triaging) Icinga 2 v2.8.0 through v2.11.7 and v2.12.2 has an issue where revoked certificates due for renewal will automatically be renewed, ignoring the CRL. This issue is fixed in Icinga 2 v2.11.8 and v2.12.3.

You can find information about how to handle this issue in the security team's documentation.

Created: 2021-02-19 Last update: 2021-08-25 09:00

3 security issues in bullseye high

There are 3 open security issues in bullseye.

3 important issues:

CVE-2021-32739: Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. From version 2.4.0 through version 2.12.4, a vulnerability exists that may allow privilege escalation for authenticated API users. With a read-ony user's credentials, an attacker can view most attributes of all config objects including `ticket_salt` of `ApiListener`. This salt is enough to compute a ticket for every possible common name (CN). A ticket, the master node's certificate, and a self-signed certificate are enough to successfully request the desired certificate from Icinga. That certificate may in turn be used to steal an endpoint or API user's identity. Versions 2.12.5 and 2.11.10 both contain a fix the vulnerability. As a workaround, one may either specify queryable types explicitly or filter out ApiListener objects.
CVE-2021-32743: Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. In versions prior to 2.11.10 and from version 2.12.0 through version 2.12.4, some of the Icinga 2 features that require credentials for external services expose those credentials through the API to authenticated API users with read permissions for the corresponding object types. IdoMysqlConnection and IdoPgsqlConnection (every released version) exposes the password of the user used to connect to the database. IcingaDB (added in 2.12.0) exposes the password used to connect to the Redis server. ElasticsearchWriter (added in 2.8.0)exposes the password used to connect to the Elasticsearch server. An attacker who obtains these credentials can impersonate Icinga to these services and add, modify and delete information there. If credentials with more permissions are in use, this increases the impact accordingly. Starting with the 2.11.10 and 2.12.5 releases, these passwords are no longer exposed via the API. As a workaround, API user permissions can be restricted to not allow querying of any affected objects, either by explicitly listing only the required object types for object query permissions, or by applying a filter rule.
CVE-2021-37698: Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. In versions 2.5.0 through 2.13.0, ElasticsearchWriter, GelfWriter, InfluxdbWriter and Influxdb2Writer do not verify the server's certificate despite a certificate authority being specified. Icinga 2 instances which connect to any of the mentioned time series databases (TSDBs) using TLS over a spoofable infrastructure should immediately upgrade to version 2.13.1, 2.12.6, or 2.11.11 to patch the issue. Such instances should also change the credentials (if any) used by the TSDB writer feature to authenticate against the TSDB. There are no workarounds aside from upgrading.

Created: 2021-07-15 Last update: 2021-08-25 09:00

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2021-08-14 Last update: 2021-09-20 04:01

Multiarch hinter reports 2 issue(s) normal

There are issues with the multiarch metadata for this package.

icinga2-doc could be marked Multi-Arch: foreign
icinga2 could be marked Multi-Arch: same

Created: 2016-09-14 Last update: 2021-09-19 22:39

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2018-09-11 Last update: 2021-09-19 22:37

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 2.13.1-2, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 0cffc0fa8d6c70661c0c89c8b4ad7fc7eb726d25
Author: Bas Couwenberg <sebastic@xs4all.nl>
Date:   Wed Sep 8 17:52:03 2021 +0200

    Bump Standards-Version to 4.6.0, no changes.

Created: 2021-09-08 Last update: 2021-09-16 17:35

lintian reports 1 warning normal

Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2021-09-06 Last update: 2021-09-06 18:32

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2020-12-12 Last update: 2020-12-12 22:05

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.0 instead of 4.5.1).

Created: 2021-08-18 Last update: 2021-08-20 02:05

testing migrations

This package will soon be part of the auto-openssl transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[rss feed]

[2021-08-25] icinga2 2.13.1-1 MIGRATED to testing (Debian testing watch)
[2021-08-19] Accepted icinga2 2.13.1-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2021-08-15] Accepted icinga2 2.12.5-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2021-08-04] Accepted icinga2 2.13.0-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2021-07-16] Accepted icinga2 2.12.5-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2021-05-27] Accepted icinga2 2.12.4-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2020-12-18] icinga2 2.12.3-1 MIGRATED to testing (Debian testing watch)
[2020-12-16] Accepted icinga2 2.12.3-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2020-12-01] icinga2 2.12.2-1 MIGRATED to testing (Debian testing watch)
[2020-11-26] Accepted icinga2 2.12.2-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2020-11-22] Accepted icinga2 2.12.1-2 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2020-10-23] icinga2 2.12.1-1 MIGRATED to testing (Debian testing watch)
[2020-10-23] icinga2 2.12.1-1 MIGRATED to testing (Debian testing watch)
[2020-10-18] Accepted icinga2 2.12.1-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2020-09-19] Accepted icinga2 2.10.3-2+deb10u1 (source amd64 all) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Sebastiaan Couwenberg)
[2020-09-16] icinga2 2.11.5-1 MIGRATED to testing (Debian testing watch)
[2020-09-14] Accepted icinga2 2.11.5-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2020-08-07] Accepted icinga2 2.12.0-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2020-03-17] Accepted icinga2 2.12.0~rc1-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2020-03-16] icinga2 2.11.3-2 MIGRATED to testing (Debian testing watch)
[2020-03-09] Accepted icinga2 2.11.3-2 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2020-03-08] icinga2 2.11.3-1 MIGRATED to testing (Debian testing watch)
[2020-03-03] Accepted icinga2 2.11.3-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2019-11-24] Removed 2.11.1-2~exp1 from experimental (Debian FTP Masters)
[2019-11-24] Removed 2.11.0~rc1-1~exp2 from experimental (Debian FTP Masters)
[2019-11-01] icinga2 2.11.2-1 MIGRATED to testing (Debian testing watch)
[2019-10-26] Accepted icinga2 2.11.2-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2019-10-25] Accepted icinga2 2.11.1-2 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2019-10-25] icinga2 2.11.1-1 MIGRATED to testing (Debian testing watch)
[2019-10-18] Accepted icinga2 2.11.1-2~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)

bugs [bug history graph]

all: 7
RC: 0
I&N: 5
M&W: 2
F&P: 0
patch: 1

links

homepage
lintian (0, 1)
buildd: logs, checks, clang, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
l10n (100, -)
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.12.3-1
5 bugs