openSUSE-SU-2020:0067-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2020:0067-1.json
JSON Data
https://api.test.osv.dev/v1/vulns/openSUSE-SU-2020:0067-1
Related
Published
2020-01-16T15:12:13Z
Modified
2020-01-16T15:12:13Z
Summary
Security update for icingaweb2
Details

This update for icingaweb2 to version 2.7.3 fixes the following issues:

icingaweb2 update to 2.7.3:

  • Fixed an issue where servicegroups for roles with filtered objects were not available

icingaweb2 update to 2.7.2:

  • Performance imrovements and bug fixes

icingaweb2 update to 2.7.1:

  • Highlight links in the notes of an object
  • Fixed an issue where sort rules were no longer working
  • Fixed an issue where statistics were shown with an anarchist way
  • Fixed an issue where wildcards could no show results

icingaweb2 update to 2.7.0:

  • New languages support
  • Now module developers got additional ways to customize Icinga Web 2
  • UI enhancements

icingaweb2 update to 2.6.3:

  • Fixed various issues with LDAP
  • Fixed issues with timezone
  • UI enhancements
  • Stability fixes

icingaweb2 update to 2.6.2:

You can find issues and features related to this release on our Roadmap. This bugfix release addresses the following topics:

  • Database connections to MySQL 8 no longer fail
  • LDAP connections now have a timeout configuration which defaults to 5 seconds
  • User groups are now correctly loaded for externally authenticated users
  • Filters are respected for all links in the host and service group overviews
  • Fixed permission problems where host and service actions provided by modules were missing
  • Fixed an SQL error in the contact list view when filtering for host groups
  • Fixed time zone (DST) detection
  • Fixed the contact details view if restrictions are active
  • Doc parser and documentation fixes

Fix security issues:

  • CVE-2018-18246: fixed an CSRF in moduledisable (boo#1119784)
  • CVE-2018-18247: fixed an XSS via /icingaweb2/navigation/add (boo#1119785)
  • CVE-2018-18248: fixed an XSS attack is possible via query strings or a dir parameter (boo#1119801)
  • CVE-2018-18249: fixed an injection of PHP ini-file directives involves environment variables as channel to send out information (boo#1119799)

  • CVE-2018-18250: fixed parameters that can break navigation dashlets (boo#1119800)

  • Remove setuid from new upstream spec file for following dirs:

    /etc/icingaweb2, /etc/icingaweb/modules, /etc/icingaweb2/modules/setup, /etc/icingaweb2/modules/translation, /var/log/icingaweb2

icingaweb2 updated to 2.6.1:

  • You can find issues and features related to this release on our Roadmap.
  • The command audit now logs a command's payload as JSON which fixes a bug that has been introduced in version 2.6.0.

icingaweb2 was updated to 2.6.0:

  • You can find issues and features related to this release on our Roadmap.

    • Enabling you to do stuff you couldn't before
      • Support for PHP 7.2 added
      • Support for SQLite resources added
      • Login and Command (monitoring) auditing added with the help of a dedicated module
      • Pluginoutput rendering is now hookable by modules which allows to render custom icons, emojis and .. cute kitties :octocat:
    • Avoiding that you miss something
      • It's now possible to toggle between list- and grid-mode for the host- and servicegroup overviews
      • The servicegrid now supports to flip its axes which allows it to be put into a landscape mode
      • Contacts only associated with services are visible now when restricted based on host filters
      • Negated and combined membership filters now work as expected (#2934)
      • A more prominent error message in case the monitoring backend goes down
      • The filter editor doesn't get cleared anymore upon hitting Enter
    • Making your life a bit easier
      • The tactical overview is now filterable and can be safely put into the dashboard
      • It is now possible to register new announcements over the REST Api
      • Filtering for custom variables now works in UTF8 environments
    • Ensuring you understand everything
      • The monitoring health is now beautiful to look at and properly behaves in narrow environments
      • Updated German localization
      • Updated Italian localization
    • Freeing you from unrealiable things
      • Removed support for PHP < 5.6
      • Removed support for persistent database connections
References

Affected packages

SUSE:Package Hub 12 / icingaweb2

Package

Name
icingaweb2
Purl
pkg:rpm/suse/icingaweb2&distro=SUSE%20Package%20Hub%2012

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.7.3-bp151.5.3.1

Ecosystem specific 

{
    "binaries": [
        {
            "icingaweb2-common": "2.7.3-bp151.5.3.1",
            "icingaweb2-vendor-HTMLPurifier": "2.7.3-bp151.5.3.1",
            "php-Icinga": "2.7.3-bp151.5.3.1",
            "icingacli": "2.7.3-bp151.5.3.1",
            "icingaweb2-vendor-JShrink": "2.7.3-bp151.5.3.1",
            "icingaweb2-vendor-lessphp": "2.7.3-bp151.5.3.1",
            "icingaweb2-vendor-Parsedown": "2.7.3-bp151.5.3.1",
            "icingaweb2": "2.7.3-bp151.5.3.1",
            "icingaweb2-vendor-dompdf": "2.7.3-bp151.5.3.1",
            "icingaweb2-vendor-zf1": "2.7.3-bp151.5.3.1"
        }
    ]
}

SUSE:Package Hub 15 / icingaweb2

Package

Name
icingaweb2
Purl
pkg:rpm/suse/icingaweb2&distro=SUSE%20Package%20Hub%2015

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.7.3-bp151.5.3.1

Ecosystem specific 

{
    "binaries": [
        {
            "icingaweb2-common": "2.7.3-bp151.5.3.1",
            "icingaweb2-vendor-HTMLPurifier": "2.7.3-bp151.5.3.1",
            "php-Icinga": "2.7.3-bp151.5.3.1",
            "icingacli": "2.7.3-bp151.5.3.1",
            "icingaweb2-vendor-JShrink": "2.7.3-bp151.5.3.1",
            "icingaweb2-vendor-lessphp": "2.7.3-bp151.5.3.1",
            "icingaweb2-vendor-Parsedown": "2.7.3-bp151.5.3.1",
            "icingaweb2": "2.7.3-bp151.5.3.1",
            "icingaweb2-vendor-dompdf": "2.7.3-bp151.5.3.1",
            "icingaweb2-vendor-zf1": "2.7.3-bp151.5.3.1"
        }
    ]
}

SUSE:Package Hub 15 SP1 / icingaweb2

Package

Name
icingaweb2
Purl
pkg:rpm/suse/icingaweb2&distro=SUSE%20Package%20Hub%2015%20SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.7.3-bp151.5.3.1

Ecosystem specific 

{
    "binaries": [
        {
            "icingaweb2-common": "2.7.3-bp151.5.3.1",
            "icingaweb2-vendor-HTMLPurifier": "2.7.3-bp151.5.3.1",
            "php-Icinga": "2.7.3-bp151.5.3.1",
            "icingacli": "2.7.3-bp151.5.3.1",
            "icingaweb2-vendor-JShrink": "2.7.3-bp151.5.3.1",
            "icingaweb2-vendor-lessphp": "2.7.3-bp151.5.3.1",
            "icingaweb2-vendor-Parsedown": "2.7.3-bp151.5.3.1",
            "icingaweb2": "2.7.3-bp151.5.3.1",
            "icingaweb2-vendor-dompdf": "2.7.3-bp151.5.3.1",
            "icingaweb2-vendor-zf1": "2.7.3-bp151.5.3.1"
        }
    ]
}

openSUSE:Leap 15.0 / icingaweb2

Package

Name
icingaweb2
Purl
pkg:rpm/opensuse/icingaweb2&distro=openSUSE%20Leap%2015.0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.7.3-bp151.5.3.1

Ecosystem specific 

{
    "binaries": [
        {
            "icingaweb2-common": "2.7.3-bp151.5.3.1",
            "icingaweb2-vendor-HTMLPurifier": "2.7.3-bp151.5.3.1",
            "php-Icinga": "2.7.3-bp151.5.3.1",
            "icingacli": "2.7.3-bp151.5.3.1",
            "icingaweb2-vendor-JShrink": "2.7.3-bp151.5.3.1",
            "icingaweb2-vendor-lessphp": "2.7.3-bp151.5.3.1",
            "icingaweb2-vendor-Parsedown": "2.7.3-bp151.5.3.1",
            "icingaweb2": "2.7.3-bp151.5.3.1",
            "icingaweb2-vendor-dompdf": "2.7.3-bp151.5.3.1",
            "icingaweb2-vendor-zf1": "2.7.3-bp151.5.3.1"
        }
    ]
}

openSUSE:Leap 15.1 / icingaweb2

Package

Name
icingaweb2
Purl
pkg:rpm/opensuse/icingaweb2&distro=openSUSE%20Leap%2015.1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.7.3-bp151.5.3.1

Ecosystem specific 

{
    "binaries": [
        {
            "icingaweb2-common": "2.7.3-bp151.5.3.1",
            "icingaweb2-vendor-HTMLPurifier": "2.7.3-bp151.5.3.1",
            "php-Icinga": "2.7.3-bp151.5.3.1",
            "icingacli": "2.7.3-bp151.5.3.1",
            "icingaweb2-vendor-JShrink": "2.7.3-bp151.5.3.1",
            "icingaweb2-vendor-lessphp": "2.7.3-bp151.5.3.1",
            "icingaweb2-vendor-Parsedown": "2.7.3-bp151.5.3.1",
            "icingaweb2": "2.7.3-bp151.5.3.1",
            "icingaweb2-vendor-dompdf": "2.7.3-bp151.5.3.1",
            "icingaweb2-vendor-zf1": "2.7.3-bp151.5.3.1"
        }
    ]
}