openSUSE Security Update: Security update for icingaweb2
______________________________________________________________________________
Announcement ID: openSUSE-SU-2020:0067-1
Rating: moderate
References: #1101357 #1119784 #1119785 #1119799 #1119800
#1119801
Cross-References: CVE-2018-18246 CVE-2018-18247 CVE-2018-18248
CVE-2018-18249 CVE-2018-18250
Affected Products:
openSUSE Leap 15.1
openSUSE Leap 15.0
openSUSE Backports SLE-15-SP1
openSUSE Backports SLE-15
SUSE Package Hub for SUSE Linux Enterprise 12
______________________________________________________________________________
An update that solves 5 vulnerabilities and has one errata
is now available.
Description:
This update for icingaweb2 to version 2.7.3 fixes the following issues:
icingaweb2 update to 2.7.3:
* Fixed an issue where servicegroups for roles with filtered objects were
not available
icingaweb2 update to 2.7.2:
* Performance imrovements and bug fixes
icingaweb2 update to 2.7.1:
* Highlight links in the notes of an object
* Fixed an issue where sort rules were no longer working
* Fixed an issue where statistics were shown with an anarchist way
* Fixed an issue where wildcards could no show results
icingaweb2 update to 2.7.0:
* New languages support
* Now module developers got additional ways to customize Icinga Web 2
* UI enhancements
icingaweb2 update to 2.6.3:
* Fixed various issues with LDAP
* Fixed issues with timezone
* UI enhancements
* Stability fixes
icingaweb2 update to 2.6.2:
You can find issues and features related to this release on our Roadmap.
This bugfix release addresses the following topics:
* Database connections to MySQL 8 no longer fail
* LDAP connections now have a timeout configuration which defaults to 5
seconds
* User groups are now correctly loaded for externally authenticated users
* Filters are respected for all links in the host and service group
overviews
* Fixed permission problems where host and service actions provided by
modules were missing
* Fixed an SQL error in the contact list view when filtering for host
groups
* Fixed time zone (DST) detection
* Fixed the contact details view if restrictions are active
* Doc parser and documentation fixes
Fix security issues:
– CVE-2018-18246: fixed an CSRF in moduledisable (boo#1119784)
– CVE-2018-18247: fixed an XSS via /icingaweb2/navigation/add (boo#1119785)
– CVE-2018-18248: fixed an XSS attack is possible via query strings or a
dir parameter (boo#1119801)
– CVE-2018-18249: fixed an injection of PHP ini-file directives involves
environment variables as channel to send out information (boo#1119799)
– CVE-2018-18250: fixed parameters that can break navigation dashlets
(boo#1119800)
– Remove setuid from new upstream spec file for following dirs:
/etc/icingaweb2, /etc/icingaweb/modules, /etc/icingaweb2/modules/setup,
/etc/icingaweb2/modules/translation, /var/log/icingaweb2
icingaweb2 updated to 2.6.1:
– You can find issues and features related to this release on our
[Roadmap](https://github.com/Icinga/icingaweb2/milestone/51?closed=1).
– The command audit now logs a command’s payload as JSON which fixes a
[bug](https://github.com/Icinga/icingaweb2/issues/3535) that has been
introduced in version 2.6.0.
icingaweb2 was updated to 2.6.0:
– You can find issues and features related to this release on our Roadmap.
* Enabling you to do stuff you couldn’t before
– Support for PHP 7.2 added
– Support for SQLite resources added
– Login and Command (monitoring) auditing added with the help of a
dedicated module
– Pluginoutput rendering is now hookable by modules which allows to
render custom icons, emojis and .. cute kitties :octocat:
* Avoiding that you miss something
– It’s now possible to toggle between list- and grid-mode for the
host- and servicegroup overviews
– The servicegrid now supports to flip its axes which allows it to be
put into a landscape mode
– Contacts only associated with services are visible now when
restricted based on host filters
– Negated and combined membership filters now work as expected (#2934)
– A more prominent error message in case the monitoring backend goes
down
– The filter editor doesn’t get cleared anymore upon hitting Enter
* Making your life a bit easier
– The tactical overview is now filterable and can be safely put into
the dashboard
– It is now possible to register new announcements over the REST Api
– Filtering for custom variables now works in UTF8 environments
* Ensuring you understand everything
– The monitoring health is now beautiful to look at and properly
behaves in narrow environments
– Updated German localization
– Updated Italian localization
* Freeing you from unrealiable things
– Removed support for PHP < 5.6
– Removed support for persistent database connections
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:
– openSUSE Leap 15.1:
zypper in -t patch openSUSE-2020-67=1
– openSUSE Leap 15.0:
zypper in -t patch openSUSE-2020-67=1
– openSUSE Backports SLE-15-SP1:
zypper in -t patch openSUSE-2020-67=1
– openSUSE Backports SLE-15:
zypper in -t patch openSUSE-2020-67=1
– SUSE Package Hub for SUSE Linux Enterprise 12:
zypper in -t patch openSUSE-2020-67=1
Package List:
– openSUSE Leap 15.1 (noarch):
icingacli-2.7.3-lp151.6.5.1
icingaweb2-2.7.3-lp151.6.5.1
icingaweb2-common-2.7.3-lp151.6.5.1
icingaweb2-vendor-HTMLPurifier-2.7.3-lp151.6.5.1
icingaweb2-vendor-JShrink-2.7.3-lp151.6.5.1
icingaweb2-vendor-Parsedown-2.7.3-lp151.6.5.1
icingaweb2-vendor-dompdf-2.7.3-lp151.6.5.1
icingaweb2-vendor-lessphp-2.7.3-lp151.6.5.1
icingaweb2-vendor-zf1-2.7.3-lp151.6.5.1
php-Icinga-2.7.3-lp151.6.5.1
– openSUSE Leap 15.0 (noarch):
icingacli-2.7.3-lp150.4.7.1
icingaweb2-2.7.3-lp150.4.7.1
icingaweb2-common-2.7.3-lp150.4.7.1
icingaweb2-vendor-HTMLPurifier-2.7.3-lp150.4.7.1
icingaweb2-vendor-JShrink-2.7.3-lp150.4.7.1
icingaweb2-vendor-Parsedown-2.7.3-lp150.4.7.1
icingaweb2-vendor-dompdf-2.7.3-lp150.4.7.1
icingaweb2-vendor-lessphp-2.7.3-lp150.4.7.1
icingaweb2-vendor-zf1-2.7.3-lp150.4.7.1
php-Icinga-2.7.3-lp150.4.7.1
– openSUSE Backports SLE-15-SP1 (noarch):
icingacli-2.7.3-bp151.5.3.1
icingaweb2-2.7.3-bp151.5.3.1
icingaweb2-common-2.7.3-bp151.5.3.1
icingaweb2-vendor-HTMLPurifier-2.7.3-bp151.5.3.1
icingaweb2-vendor-JShrink-2.7.3-bp151.5.3.1
icingaweb2-vendor-Parsedown-2.7.3-bp151.5.3.1
icingaweb2-vendor-dompdf-2.7.3-bp151.5.3.1
icingaweb2-vendor-lessphp-2.7.3-bp151.5.3.1
icingaweb2-vendor-zf1-2.7.3-bp151.5.3.1
php-Icinga-2.7.3-bp151.5.3.1
– openSUSE Backports SLE-15 (noarch):
icingacli-2.7.3-bp150.2.7.1
icingaweb2-2.7.3-bp150.2.7.1
icingaweb2-common-2.7.3-bp150.2.7.1
icingaweb2-vendor-HTMLPurifier-2.7.3-bp150.2.7.1
icingaweb2-vendor-JShrink-2.7.3-bp150.2.7.1
icingaweb2-vendor-Parsedown-2.7.3-bp150.2.7.1
icingaweb2-vendor-dompdf-2.7.3-bp150.2.7.1
icingaweb2-vendor-lessphp-2.7.3-bp150.2.7.1
icingaweb2-vendor-zf1-2.7.3-bp150.2.7.1
php-Icinga-2.7.3-bp150.2.7.1
– SUSE Package Hub for SUSE Linux Enterprise 12 (noarch):
icingacli-2.7.3-9.1
icingaweb2-2.7.3-9.1
icingaweb2-common-2.7.3-9.1
icingaweb2-vendor-HTMLPurifier-2.7.3-9.1
icingaweb2-vendor-JShrink-2.7.3-9.1
icingaweb2-vendor-Parsedown-2.7.3-9.1
icingaweb2-vendor-dompdf-2.7.3-9.1
icingaweb2-vendor-lessphp-2.7.3-9.1
icingaweb2-vendor-zf1-2.7.3-9.1
php-Icinga-2.7.3-9.1
References:
https://www.suse.com/security/cve/CVE-2018-18246.html
https://www.suse.com/security/cve/CVE-2018-18247.html
https://www.suse.com/security/cve/CVE-2018-18248.html
https://www.suse.com/security/cve/CVE-2018-18249.html
https://www.suse.com/security/cve/CVE-2018-18250.html
https://bugzilla.suse.com/1101357
https://bugzilla.suse.com/1119784
https://bugzilla.suse.com/1119785
https://bugzilla.suse.com/1119799
https://bugzilla.suse.com/1119800
https://bugzilla.suse.com/1119801
—
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org
openSUSE Security Update: Security update for icingaweb2
______________________________________________________________________________
Announcement ID: openSUSE-SU-2020:0067-1
Rating: moderate
References: #1101357 #1119784 #1119785 #1119799 #1119800
#1119801
Cross-References: CVE-2018-18246 CVE-2018-18247 CVE-2018-18248
CVE-2018-18249 CVE-2018-18250
Affected Products:
openSUSE Leap 15.1
openSUSE Leap 15.0
openSUSE Backports SLE-15-SP1
openSUSE Backports SLE-15
______________________________________________________________________________
An update that solves 5 vulnerabilities and has one errata
is now available.
Description:
This update for icingaweb2 to version 2.7.3 fixes the following issues:
icingaweb2 update to 2.7.3:
* Fixed an issue where servicegroups for roles with filtered objects were
not available
icingaweb2 update to 2.7.2:
* Performance imrovements and bug fixes
icingaweb2 update to 2.7.1:
* Highlight links in the notes of an object
* Fixed an issue where sort rules were no longer working
* Fixed an issue where statistics were shown with an anarchist way
* Fixed an issue where wildcards could no show results
icingaweb2 update to 2.7.0:
* New languages support
* Now module developers got additional ways to customize Icinga Web 2
* UI enhancements
icingaweb2 update to 2.6.3:
* Fixed various issues with LDAP
* Fixed issues with timezone
* UI enhancements
* Stability fixes
icingaweb2 update to 2.6.2:
You can find issues and features related to this release on our Roadmap.
This bugfix release addresses the following topics:
* Database connections to MySQL 8 no longer fail
* LDAP connections now have a timeout configuration which defaults to 5
seconds
* User groups are now correctly loaded for externally authenticated users
* Filters are respected for all links in the host and service group
overviews
* Fixed permission problems where host and service actions provided by
modules were missing
* Fixed an SQL error in the contact list view when filtering for host
groups
* Fixed time zone (DST) detection
* Fixed the contact details view if restrictions are active
* Doc parser and documentation fixes
Fix security issues:
– CVE-2018-18246: fixed an CSRF in moduledisable (boo#1119784)
– CVE-2018-18247: fixed an XSS via /icingaweb2/navigation/add (boo#1119785)
– CVE-2018-18248: fixed an XSS attack is possible via query strings or a
dir parameter (boo#1119801)
– CVE-2018-18249: fixed an injection of PHP ini-file directives involves
environment variables as channel to send out information (boo#1119799)
– CVE-2018-18250: fixed parameters that can break navigation dashlets
(boo#1119800)
– Remove setuid from new upstream spec file for following dirs:
/etc/icingaweb2, /etc/icingaweb/modules, /etc/icingaweb2/modules/setup,
/etc/icingaweb2/modules/translation, /var/log/icingaweb2
icingaweb2 updated to 2.6.1:
– You can find issues and features related to this release on our
[Roadmap](https://github.com/Icinga/icingaweb2/milestone/51?closed=1).
– The command audit now logs a command’s payload as JSON which fixes a
[bug](https://github.com/Icinga/icingaweb2/issues/3535) that has been
introduced in version 2.6.0.
icingaweb2 was updated to 2.6.0:
– You can find issues and features related to this release on our Roadmap.
* Enabling you to do stuff you couldn’t before
– Support for PHP 7.2 added
– Support for SQLite resources added
– Login and Command (monitoring) auditing added with the help of a
dedicated module
– Pluginoutput rendering is now hookable by modules which allows to
render custom icons, emojis and .. cute kitties :octocat:
* Avoiding that you miss something
– It’s now possible to toggle between list- and grid-mode for the
host- and servicegroup overviews
– The servicegrid now supports to flip its axes which allows it to be
put into a landscape mode
– Contacts only associated with services are visible now when
restricted based on host filters
– Negated and combined membership filters now work as expected (#2934)
– A more prominent error message in case the monitoring backend goes
down
– The filter editor doesn’t get cleared anymore upon hitting Enter
* Making your life a bit easier
– The tactical overview is now filterable and can be safely put into
the dashboard
– It is now possible to register new announcements over the REST Api
– Filtering for custom variables now works in UTF8 environments
* Ensuring you understand everything
– The monitoring health is now beautiful to look at and properly
behaves in narrow environments
– Updated German localization
– Updated Italian localization
* Freeing you from unrealiable things
– Removed support for PHP < 5.6
– Removed support for persistent database connections
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:
– openSUSE Leap 15.1:
zypper in -t patch openSUSE-2020-67=1
– openSUSE Leap 15.0:
zypper in -t patch openSUSE-2020-67=1
– openSUSE Backports SLE-15-SP1:
zypper in -t patch openSUSE-2020-67=1
– openSUSE Backports SLE-15:
zypper in -t patch openSUSE-2020-67=1
Package List:
– openSUSE Leap 15.1 (noarch):
icingacli-2.7.3-lp151.6.5.1
icingaweb2-2.7.3-lp151.6.5.1
icingaweb2-common-2.7.3-lp151.6.5.1
icingaweb2-vendor-HTMLPurifier-2.7.3-lp151.6.5.1
icingaweb2-vendor-JShrink-2.7.3-lp151.6.5.1
icingaweb2-vendor-Parsedown-2.7.3-lp151.6.5.1
icingaweb2-vendor-dompdf-2.7.3-lp151.6.5.1
icingaweb2-vendor-lessphp-2.7.3-lp151.6.5.1
icingaweb2-vendor-zf1-2.7.3-lp151.6.5.1
php-Icinga-2.7.3-lp151.6.5.1
– openSUSE Leap 15.0 (noarch):
icingacli-2.7.3-lp150.4.7.1
icingaweb2-2.7.3-lp150.4.7.1
icingaweb2-common-2.7.3-lp150.4.7.1
icingaweb2-vendor-HTMLPurifier-2.7.3-lp150.4.7.1
icingaweb2-vendor-JShrink-2.7.3-lp150.4.7.1
icingaweb2-vendor-Parsedown-2.7.3-lp150.4.7.1
icingaweb2-vendor-dompdf-2.7.3-lp150.4.7.1
icingaweb2-vendor-lessphp-2.7.3-lp150.4.7.1
icingaweb2-vendor-zf1-2.7.3-lp150.4.7.1
php-Icinga-2.7.3-lp150.4.7.1
– openSUSE Backports SLE-15-SP1 (noarch):
icingacli-2.7.3-bp151.5.3.1
icingaweb2-2.7.3-bp151.5.3.1
icingaweb2-common-2.7.3-bp151.5.3.1
icingaweb2-vendor-HTMLPurifier-2.7.3-bp151.5.3.1
icingaweb2-vendor-JShrink-2.7.3-bp151.5.3.1
icingaweb2-vendor-Parsedown-2.7.3-bp151.5.3.1
icingaweb2-vendor-dompdf-2.7.3-bp151.5.3.1
icingaweb2-vendor-lessphp-2.7.3-bp151.5.3.1
icingaweb2-vendor-zf1-2.7.3-bp151.5.3.1
php-Icinga-2.7.3-bp151.5.3.1
– openSUSE Backports SLE-15 (noarch):
icingacli-2.7.3-bp150.2.7.1
icingaweb2-2.7.3-bp150.2.7.1
icingaweb2-common-2.7.3-bp150.2.7.1
icingaweb2-vendor-HTMLPurifier-2.7.3-bp150.2.7.1
icingaweb2-vendor-JShrink-2.7.3-bp150.2.7.1
icingaweb2-vendor-Parsedown-2.7.3-bp150.2.7.1
icingaweb2-vendor-dompdf-2.7.3-bp150.2.7.1
icingaweb2-vendor-lessphp-2.7.3-bp150.2.7.1
icingaweb2-vendor-zf1-2.7.3-bp150.2.7.1
php-Icinga-2.7.3-bp150.2.7.1
References:
https://www.suse.com/security/cve/CVE-2018-18246.html
https://www.suse.com/security/cve/CVE-2018-18247.html
https://www.suse.com/security/cve/CVE-2018-18248.html
https://www.suse.com/security/cve/CVE-2018-18249.html
https://www.suse.com/security/cve/CVE-2018-18250.html
https://bugzilla.suse.com/1101357
https://bugzilla.suse.com/1119784
https://bugzilla.suse.com/1119785
https://bugzilla.suse.com/1119799
https://bugzilla.suse.com/1119800
https://bugzilla.suse.com/1119801
—
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org