CVE-2018-6532: By sending specially crafted requests, authenticated and
unauthenticated, an attacker can exhaust a lot of memory on the server
side, triggering the OOM killer.
CVE-2018-6534: By sending specially crafted messages, an attacker can
cause a NULL pointer dereference, which can cause Icinga2 to crash.
CVE-2018-6535: Lack of a constant-time password comparison function can
disclose the password to an attacker.
Detailed write-up and simple crashers for the above at
https://hansmi.ch/articles/2018-03-icinga2-security
(CVE-2017-16933 and CVE-2018-6536 also in this release relate to the
init scripts that we don't use).
See https://www.icinga.com/docs/icinga2/snapshot/doc/16-upgrading-icinga-2/
- you must update database schema (as common for 2.n -> 2.n+1 update) - you
don't need to do anything special with cert location if you use standard
icinga cli/wizards, but should update deployment tools/scripts if you use
them to provision certificates.
(Regarding cert migration: patch added to new api.conf to work around
pkg_add's behaviour of updating config files if there are no local changes).
disable unity build (upstream default) everywhere, it was previously disabled on
!amd64, but the large c++ files involved are bringing my amd64 workstation to its
knees with long hangs making X unusable for many minutes at a time
security fixes (also affecting nagios; icinga 1.x is the old nagios-derived
branch, whereas 2.x is all new) -
* Bug #13709: CVE-2016-9566: Root priviledge escalation during log file opening
* Bug #10453: Icinga Classic-UI 1.13.3 and older are vulnerable to XSS - CVE-2015-8010
notable changes -
* Classic UI: Remove attribute based authorization (cgiauth.cfg is not parsed
any more)
* IDO: Remove deprecated config options
