security fixes (also affecting nagios; icinga 1.x is the old nagios-derived
branch, whereas 2.x is all new) -
* Bug #13709: CVE-2016-9566: Root priviledge escalation during log file opening
* Bug #10453: Icinga Classic-UI 1.13.3 and older are vulnerable to XSS - CVE-2015-8010
notable changes -
* Classic UI: Remove attribute based authorization (cgiauth.cfg is not parsed
any more)
* IDO: Remove deprecated config options
instructions are meant to work on a fresh install.
- easy cases: replace some '$ sudo somecommand' with '# somecommand'
(while there I've swapped some "${RCDIR}/foo start" with "rcctl foo start").
- replace some 'sudo -u user somecommand foo bar' with
'su -s /bin/sh user "/path/to/somecommand foo bar"' and similar.
Not pretty with the -s, but many of the uids that need to run
these commands have /sbin/nologin as their usual shell.
as reported by otto@. Build with -wformat to make the other two hundred
and ten of them more obvious.
(icinga2 doesn't have these problems, but we are stuck with an older
version of icinga2 as current versions fail at runtime on OpenBSD,
and a number of these problems affect the icinga1 cgis which are still
useful with 2).
* classic-ui: fix status.cgi gets stuck in loop when sorting on "All Unhandled Problems" #5886 - RB
* classic ui: Only show command expander if backend is Icinga 1.x (incompatible with Icinga 2) #6408 - MF
* classic ui: Fix CSRF protection in cmd.cgi matches only compiled in URL #6459 - MF
* classic-ui: config.cgi missing new option #6502 - RB
* cgi.cfg: Add url_cgi_path allowing to override the default '$htmurl/cgi-bin' required for CSRF checks #6459
CVE-2013-7106, CVE-2013-7107 https://dev.icinga.org/issues/5250
The icinga web gui is susceptible to several buffer overflow flaws,
which can be triggered as a logged on user. A remote attacker may
utilize a CSRF (cross site request forgery) attack vector against a
logged in user to exploit this flaw remotely.
CVE-2013-7108 https://dev.icinga.org/issues/5251
The icinga web gui are susceptible to an "off-by-one read" error
resulting from an improper assumption in the handling of user submitted
CGI parameters. [..] by sending a specially crafted cgi parameter,
the check routine can be forced to skip the terminating null pointer
and read the heap address right after the end of the parameter list.
Depending on the memory layout, this may result in a memory corruption
condition/crash or reading of sensitive memory locations.
