Debian Package Tracker
Register | Log in
Subscribe

icingaweb2

simple and responsive web interface for Icinga

Choose email to subscribe with

general
  • source: icingaweb2 (main)
  • version: 2.10.1-1
  • maintainer: Debian Nagios Maintainer Group (archive) (DMD)
  • uploaders: Markus Frosch [DMD]
  • arch: all
  • std-ver: 4.6.0
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 2.4.1-1
  • o-o-sec: 2.4.1-1+deb9u1
  • o-o-bpo: 2.6.2-3~bpo9+1
  • oldstable: 2.6.2-3+deb10u1
  • old-sec: 2.6.2-3+deb10u1
  • stable: 2.8.2-2
  • unstable: 2.10.1-1
versioned links
  • 2.4.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.4.1-1+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.6.2-3~bpo9+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.6.2-3+deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.8.2-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.10.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • icingacli
  • icingaweb2
  • icingaweb2-common (1 bugs: 0, 0, 1, 0)
  • icingaweb2-module-doc
  • icingaweb2-module-monitoring
  • php-icinga
action needed
8 security issues in stretch high

There are 8 open security issues in stretch.

1 important issue:
  • CVE-2022-24715: Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Authenticated users, with access to the configuration, can create SSH resource files in unintended directories, leading to the execution of arbitrary code. This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2. Users unable to upgrade should limit access to the Icinga Web 2 configuration.
7 issues postponed or untriaged:
  • CVE-2018-18246: (needs triaging) Icinga Web 2 before 2.6.2 has CSRF via /icingaweb2/config/moduledisable?name=monitoring to disable the monitoring module, or via /icingaweb2/config/moduleenable?name=setup to enable the setup module.
  • CVE-2018-18247: (needs triaging) Icinga Web 2 before 2.6.2 has XSS via the /icingaweb2/navigation/add icon parameter.
  • CVE-2018-18248: (needs triaging) Icinga Web 2 has XSS via the /icingaweb2/monitoring/list/services dir parameter, the /icingaweb2/user/list query string, the /icingaweb2/monitoring/timeline query string, or the /icingaweb2/setup query string.
  • CVE-2018-18249: (needs triaging) Icinga Web 2 before 2.6.2 allows injection of PHP ini-file directives via vectors involving environment variables as the channel to send information to the attacker, such as a name=${PATH}_${APACHE_RUN_DIR}_${APACHE_RUN_USER} parameter to /icingaweb2/navigation/add or /icingaweb2/dashboard/new-dashlet.
  • CVE-2018-18250: (needs triaging) Icinga Web 2 before 2.6.2 allows parameters that break navigation dashlets, as demonstrated by a single '$' character as the Name of a Navigation item.
  • CVE-2021-32746: (needs triaging) Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Between versions 2.3.0 and 2.8.2, the `doc` module of Icinga Web 2 allows to view documentation directly in the UI. It must be enabled manually by an administrator and users need explicit access permission to use it. Then, by visiting a certain route, it is possible to gain access to arbitrary files readable by the web-server user. The issue has been fixed in the 2.9.0, 2.8.3, and 2.7.5 releases. As a workaround, an administrator may disable the `doc` module or revoke permission to use it from all users.
  • CVE-2021-32747: (needs triaging) Icinga Web 2 is an open source monitoring web interface, framework, and command-line interface. A vulnerability in which custom variables are exposed to unauthorized users exists between versions 2.0.0 and 2.8.2. Custom variables are user-defined keys and values on configuration objects in Icinga 2. These are commonly used to reference secrets in other configurations such as check commands to be able to authenticate with a service being checked. Icinga Web 2 displays these custom variables to logged in users with access to said hosts or services. In order to protect the secrets from being visible to anyone, it's possible to setup protection rules and blacklists in a user's role. Protection rules result in `***` being shown instead of the original value, the key will remain. Backlists will hide a custom variable entirely from the user. Besides using the UI, custom variables can also be accessed differently by using an undocumented URL parameter. By adding a parameter to the affected routes, Icinga Web 2 will show these columns additionally in the respective list. This parameter is also respected when exporting to JSON or CSV. Protection rules and blacklists however have no effect in this case. Custom variables are shown as-is in the result. The issue has been fixed in the 2.9.0, 2.8.3, and 2.7.5 releases. As a workaround, one may set up a restriction to hide hosts and services with the custom variable in question.
Created: 2022-03-09 Last update: 2022-05-03 00:30
4 security issues in bullseye high

There are 4 open security issues in bullseye.

2 important issues:
  • CVE-2021-32746: Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Between versions 2.3.0 and 2.8.2, the `doc` module of Icinga Web 2 allows to view documentation directly in the UI. It must be enabled manually by an administrator and users need explicit access permission to use it. Then, by visiting a certain route, it is possible to gain access to arbitrary files readable by the web-server user. The issue has been fixed in the 2.9.0, 2.8.3, and 2.7.5 releases. As a workaround, an administrator may disable the `doc` module or revoke permission to use it from all users.
  • CVE-2021-32747: Icinga Web 2 is an open source monitoring web interface, framework, and command-line interface. A vulnerability in which custom variables are exposed to unauthorized users exists between versions 2.0.0 and 2.8.2. Custom variables are user-defined keys and values on configuration objects in Icinga 2. These are commonly used to reference secrets in other configurations such as check commands to be able to authenticate with a service being checked. Icinga Web 2 displays these custom variables to logged in users with access to said hosts or services. In order to protect the secrets from being visible to anyone, it's possible to setup protection rules and blacklists in a user's role. Protection rules result in `***` being shown instead of the original value, the key will remain. Backlists will hide a custom variable entirely from the user. Besides using the UI, custom variables can also be accessed differently by using an undocumented URL parameter. By adding a parameter to the affected routes, Icinga Web 2 will show these columns additionally in the respective list. This parameter is also respected when exporting to JSON or CSV. Protection rules and blacklists however have no effect in this case. Custom variables are shown as-is in the result. The issue has been fixed in the 2.9.0, 2.8.3, and 2.7.5 releases. As a workaround, one may set up a restriction to hide hosts and services with the custom variable in question.
2 issues left for the package maintainer to handle:
  • CVE-2022-24714: (needs triaging) Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Installations of Icinga 2 with the IDO writer enabled are affected. If you use service custom variables in role restrictions, and you regularly decommission service objects, users with said roles may still have access to a collection of content. Note that this only applies if a role has implicitly permitted access to hosts, due to permitted access to at least one of their services. If access to a host is permitted by other means, no sensible information has been disclosed to unauthorized users. This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2.
  • CVE-2022-24715: (needs triaging) Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Authenticated users, with access to the configuration, can create SSH resource files in unintended directories, leading to the execution of arbitrary code. This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2. Users unable to upgrade should limit access to the Icinga Web 2 configuration.

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-07-13 Last update: 2022-05-03 00:30
The package has not entered testing even though the delay is over normal
The package has not entered testing even though the 5-day delay is over. Check why.
Created: 2022-04-12 Last update: 2022-05-29 09:34
lintian reports 6 warnings normal
Lintian reports 6 warnings about this package. You should make the package lintian clean getting rid of them.
Created: 2022-01-01 Last update: 2022-01-01 04:32
4 low-priority security issues in buster low

There are 4 open security issues in buster.

4 issues left for the package maintainer to handle:
  • CVE-2021-32746: (needs triaging) Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Between versions 2.3.0 and 2.8.2, the `doc` module of Icinga Web 2 allows to view documentation directly in the UI. It must be enabled manually by an administrator and users need explicit access permission to use it. Then, by visiting a certain route, it is possible to gain access to arbitrary files readable by the web-server user. The issue has been fixed in the 2.9.0, 2.8.3, and 2.7.5 releases. As a workaround, an administrator may disable the `doc` module or revoke permission to use it from all users.
  • CVE-2021-32747: (needs triaging) Icinga Web 2 is an open source monitoring web interface, framework, and command-line interface. A vulnerability in which custom variables are exposed to unauthorized users exists between versions 2.0.0 and 2.8.2. Custom variables are user-defined keys and values on configuration objects in Icinga 2. These are commonly used to reference secrets in other configurations such as check commands to be able to authenticate with a service being checked. Icinga Web 2 displays these custom variables to logged in users with access to said hosts or services. In order to protect the secrets from being visible to anyone, it's possible to setup protection rules and blacklists in a user's role. Protection rules result in `***` being shown instead of the original value, the key will remain. Backlists will hide a custom variable entirely from the user. Besides using the UI, custom variables can also be accessed differently by using an undocumented URL parameter. By adding a parameter to the affected routes, Icinga Web 2 will show these columns additionally in the respective list. This parameter is also respected when exporting to JSON or CSV. Protection rules and blacklists however have no effect in this case. Custom variables are shown as-is in the result. The issue has been fixed in the 2.9.0, 2.8.3, and 2.7.5 releases. As a workaround, one may set up a restriction to hide hosts and services with the custom variable in question.
  • CVE-2022-24714: (needs triaging) Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Installations of Icinga 2 with the IDO writer enabled are affected. If you use service custom variables in role restrictions, and you regularly decommission service objects, users with said roles may still have access to a collection of content. Note that this only applies if a role has implicitly permitted access to hosts, due to permitted access to at least one of their services. If access to a host is permitted by other means, no sensible information has been disclosed to unauthorized users. This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2.
  • CVE-2022-24715: (needs triaging) Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Authenticated users, with access to the configuration, can create SSH resource files in unintended directories, leading to the execution of arbitrary code. This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2. Users unable to upgrade should limit access to the Icinga Web 2 configuration.

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-07-13 Last update: 2022-05-03 00:30
Standards version of the package is outdated. wishlist
The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.1 instead of 4.6.0).
Created: 2022-05-11 Last update: 2022-05-11 23:24
testing migrations
  • excuses:
    • Migration status for icingaweb2 (- to 2.10.1-1): BLOCKED: Rejected/violates migration policy/introduces a regression
    • Issues preventing migration:
    • ∙ ∙ Updating icingaweb2 would introduce bugs in testing: #1000474
    • Additional info:
    • ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/i/icingaweb2.html
    • ∙ ∙ 52 days old (needed 5 days)
    • Not considered
news
[rss feed]
  • [2022-04-06] Accepted icingaweb2 2.10.1-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
  • [2022-03-23] Accepted icingaweb2 2.10.0-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
  • [2022-03-08] Accepted icingaweb2 2.9.6-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
  • [2022-02-22] icingaweb2 REMOVED from testing (Debian testing watch)
  • [2022-02-22] icingaweb2 REMOVED from testing (Debian testing watch)
  • [2021-11-25] icingaweb2 2.9.5-1 MIGRATED to testing (Debian testing watch)
  • [2021-11-25] icingaweb2 2.9.5-1 MIGRATED to testing (Debian testing watch)
  • [2021-11-19] Accepted icingaweb2 2.9.5-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
  • [2021-11-16] icingaweb2 2.9.4-1 MIGRATED to testing (Debian testing watch)
  • [2021-11-10] Accepted icingaweb2 2.9.4-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
  • [2021-09-20] icingaweb2 2.9.3-1 MIGRATED to testing (Debian testing watch)
  • [2021-09-15] Accepted icingaweb2 2.9.3-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
  • [2021-09-14] Accepted icingaweb2 2.9.3-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
  • [2021-08-31] icingaweb2 2.8.5-1 MIGRATED to testing (Debian testing watch)
  • [2021-08-25] Accepted icingaweb2 2.8.5-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
  • [2021-08-21] icingaweb2 2.8.4-1 MIGRATED to testing (Debian testing watch)
  • [2021-08-15] Accepted icingaweb2 2.8.4-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
  • [2021-07-31] Accepted icingaweb2 2.8.4-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
  • [2021-07-14] Accepted icingaweb2 2.8.3-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
  • [2020-12-23] icingaweb2 2.8.2-2 MIGRATED to testing (Debian testing watch)
  • [2020-12-18] Accepted icingaweb2 2.8.2-2 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
  • [2020-12-18] Accepted icingaweb2 2.8.2-2~exp2 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
  • [2020-12-14] Accepted icingaweb2 2.8.2-2~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
  • [2020-08-25] icingaweb2 2.8.2-1 MIGRATED to testing (Debian testing watch)
  • [2020-08-24] Accepted icingaweb2 2.4.1-1+deb9u1 (source) into oldstable (Roberto C. Sanchez)
  • [2020-08-24] Accepted icingaweb2 2.6.2-3+deb10u1 (source all) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Sebastiaan Couwenberg)
  • [2020-08-23] Accepted icingaweb2 2.6.2-3+deb10u1 (source all) into stable->embargoed, stable (Debian FTP Masters) (signed by: Sebastiaan Couwenberg)
  • [2020-08-22] Accepted icingaweb2 2.8.2-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
  • [2020-07-05] icingaweb2 2.8.1-1 MIGRATED to testing (Debian testing watch)
  • [2020-06-30] Accepted icingaweb2 2.8.1-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
  • 1
  • 2
bugs [bug history graph]
  • all: 4
  • RC: 1
  • I&N: 1
  • M&W: 2
  • F&P: 0
  • patch: 0
links
  • homepage
  • lintian (0, 6)
  • buildd: logs, clang
  • popcon
  • browse source code
  • edit tags
  • other distros
  • security tracker
  • screenshots
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 2.10.1-1
  • 5 bugs

Debian Package Tracker — Copyright 2013-2018 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing