icingaweb2 - Debian Package Tracker

general

source: icingaweb2 (main)
version: 2.9.3-1
maintainer: Debian Nagios Maintainer Group (archive) (DMD)
uploaders: Markus Frosch [DMD]
arch: all
std-ver: 4.6.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2.4.1-1
o-o-sec: 2.4.1-1+deb9u1
o-o-bpo: 2.6.2-3~bpo9+1
oldstable: 2.6.2-3+deb10u1
old-sec: 2.6.2-3+deb10u1
stable: 2.8.2-2
testing: 2.8.5-1
unstable: 2.9.3-1

versioned links

2.4.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.1-1+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.6.2-3~bpo9+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.6.2-3+deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.8.2-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.8.5-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.9.3-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

icingacli
icingaweb2
icingaweb2-common (1 bugs: 0, 0, 1, 0)
icingaweb2-module-doc
icingaweb2-module-monitoring
php-icinga

action needed

2 security issues in bullseye high

There are 2 open security issues in bullseye.

2 important issues:

CVE-2021-32746: Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Between versions 2.3.0 and 2.8.2, the `doc` module of Icinga Web 2 allows to view documentation directly in the UI. It must be enabled manually by an administrator and users need explicit access permission to use it. Then, by visiting a certain route, it is possible to gain access to arbitrary files readable by the web-server user. The issue has been fixed in the 2.9.0, 2.8.3, and 2.7.5 releases. As a workaround, an administrator may disable the `doc` module or revoke permission to use it from all users.
CVE-2021-32747: Icinga Web 2 is an open source monitoring web interface, framework, and command-line interface. A vulnerability in which custom variables are exposed to unauthorized users exists between versions 2.0.0 and 2.8.2. Custom variables are user-defined keys and values on configuration objects in Icinga 2. These are commonly used to reference secrets in other configurations such as check commands to be able to authenticate with a service being checked. Icinga Web 2 displays these custom variables to logged in users with access to said hosts or services. In order to protect the secrets from being visible to anyone, it's possible to setup protection rules and blacklists in a user's role. Protection rules result in `***` being shown instead of the original value, the key will remain. Backlists will hide a custom variable entirely from the user. Besides using the UI, custom variables can also be accessed differently by using an undocumented URL parameter. By adding a parameter to the affected routes, Icinga Web 2 will show these columns additionally in the respective list. This parameter is also respected when exporting to JSON or CSV. Protection rules and blacklists however have no effect in this case. Custom variables are shown as-is in the result. The issue has been fixed in the 2.9.0, 2.8.3, and 2.7.5 releases. As a workaround, one may set up a restriction to hide hosts and services with the custom variable in question.

Created: 2021-07-13 Last update: 2021-09-15 11:00

lintian reports 8 warnings normal

Lintian reports 8 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2021-09-06 Last update: 2021-09-06 18:32

Issues found with some translations low

Automatic checks made by the Debian l10n team found some issues with the translations contained in this package. You should check the l10n status report for more information.

Issues can be things such as missing translations, problematic translated strings, outdated PO files, unknown languages, etc.

Created: 2021-09-16 Last update: 2021-09-16 02:03

2 low-priority security issues in buster low

There are 2 open security issues in buster.

2 issues left for the package maintainer to handle:

CVE-2021-32746: (needs triaging) Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Between versions 2.3.0 and 2.8.2, the `doc` module of Icinga Web 2 allows to view documentation directly in the UI. It must be enabled manually by an administrator and users need explicit access permission to use it. Then, by visiting a certain route, it is possible to gain access to arbitrary files readable by the web-server user. The issue has been fixed in the 2.9.0, 2.8.3, and 2.7.5 releases. As a workaround, an administrator may disable the `doc` module or revoke permission to use it from all users.
CVE-2021-32747: (needs triaging) Icinga Web 2 is an open source monitoring web interface, framework, and command-line interface. A vulnerability in which custom variables are exposed to unauthorized users exists between versions 2.0.0 and 2.8.2. Custom variables are user-defined keys and values on configuration objects in Icinga 2. These are commonly used to reference secrets in other configurations such as check commands to be able to authenticate with a service being checked. Icinga Web 2 displays these custom variables to logged in users with access to said hosts or services. In order to protect the secrets from being visible to anyone, it's possible to setup protection rules and blacklists in a user's role. Protection rules result in `***` being shown instead of the original value, the key will remain. Backlists will hide a custom variable entirely from the user. Besides using the UI, custom variables can also be accessed differently by using an undocumented URL parameter. By adding a parameter to the affected routes, Icinga Web 2 will show these columns additionally in the respective list. This parameter is also respected when exporting to JSON or CSV. Protection rules and blacklists however have no effect in this case. Custom variables are shown as-is in the result. The issue has been fixed in the 2.9.0, 2.8.3, and 2.7.5 releases. As a workaround, one may set up a restriction to hide hosts and services with the custom variable in question.

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-07-13 Last update: 2021-09-15 11:00

testing migrations

excuses:
- Migrates after: icinga-php-library, icinga-php-thirdparty
- Migration status for icingaweb2 (2.8.5-1 to 2.9.3-1): Waiting for test results, another package or too young (no action required now - check later)
- Issues preventing migration:
- Too young, only 4 of 5 days old
- Depends: icingaweb2 icinga-php-library
- Depends: icingaweb2 icinga-php-thirdparty
- Additional info:
- Piuparts tested OK - https://piuparts.debian.org/sid/source/i/icingaweb2.html
- Not considered

news

[rss feed]

[2021-09-15] Accepted icingaweb2 2.9.3-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2021-09-14] Accepted icingaweb2 2.9.3-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2021-08-31] icingaweb2 2.8.5-1 MIGRATED to testing (Debian testing watch)
[2021-08-25] Accepted icingaweb2 2.8.5-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2021-08-21] icingaweb2 2.8.4-1 MIGRATED to testing (Debian testing watch)
[2021-08-15] Accepted icingaweb2 2.8.4-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2021-07-31] Accepted icingaweb2 2.8.4-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2021-07-14] Accepted icingaweb2 2.8.3-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2020-12-23] icingaweb2 2.8.2-2 MIGRATED to testing (Debian testing watch)
[2020-12-18] Accepted icingaweb2 2.8.2-2 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2020-12-18] Accepted icingaweb2 2.8.2-2~exp2 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2020-12-14] Accepted icingaweb2 2.8.2-2~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2020-08-25] icingaweb2 2.8.2-1 MIGRATED to testing (Debian testing watch)
[2020-08-24] Accepted icingaweb2 2.4.1-1+deb9u1 (source) into oldstable (Roberto C. Sanchez)
[2020-08-24] Accepted icingaweb2 2.6.2-3+deb10u1 (source all) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Sebastiaan Couwenberg)
[2020-08-23] Accepted icingaweb2 2.6.2-3+deb10u1 (source all) into stable->embargoed, stable (Debian FTP Masters) (signed by: Sebastiaan Couwenberg)
[2020-08-22] Accepted icingaweb2 2.8.2-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2020-07-05] icingaweb2 2.8.1-1 MIGRATED to testing (Debian testing watch)
[2020-06-30] Accepted icingaweb2 2.8.1-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2020-06-14] icingaweb2 2.8.0-1 MIGRATED to testing (Debian testing watch)
[2020-06-09] Accepted icingaweb2 2.8.0-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2020-04-18] Accepted icingaweb2 2.8.0~rc1-1~exp2 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2020-03-15] Accepted icingaweb2 2.8.0~rc1-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2019-10-24] icingaweb2 2.7.3-1 MIGRATED to testing (Debian testing watch)
[2019-10-19] Accepted icingaweb2 2.7.3-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2019-08-21] icingaweb2 2.7.1-1 MIGRATED to testing (Debian testing watch)
[2019-08-16] Accepted icingaweb2 2.7.1-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2019-08-05] icingaweb2 2.7.0-1 MIGRATED to testing (Debian testing watch)
[2019-07-31] Accepted icingaweb2 2.7.0-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2019-07-13] icingaweb2 2.6.3-1 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 3
RC: 0
I&N: 1
M&W: 2
F&P: 0
patch: 0

links

homepage
lintian (0, 8)
buildd: logs, clang, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
l10n (-, 66)
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.8.2-2
4 bugs