Release version 2.11.3

AUTHORS

@@ -91,6 +91,7 @@ Mikesch-mp <Mikesch-mp@koebbes.de>
 Mikko Peltokangas <mikko@peltokangas.org>
 moreamazingnick <github@nicolas-schneider.at>
 mrdsam <69315803+mrdsam@users.noreply.github.com>
+mrzo2s45 <dominik.lueffe@komm.one>
 Munzir Taha <munzirtaha@gmail.com>
 Nicolai Buchwitz <nicolai.buchwitz@enda.eu>
 Niko Martini <niko.martini@netways.de>

CHANGELOG.md

@@ -4,6 +4,53 @@ Please make sure to always read our [Upgrading](doc/80-Upgrading.md) documentati
 
 ## What's New
 
+### What's New in Version 2.11.3
+
+**Notice**: This is a security release. It is recommended to upgrade immediately.
+
+You can find all issues related to this release on our [Roadmap](https://github.com/Icinga/icingaweb2/milestone/77?closed=1).
+
+#### Minor to Medium Vulnerabilities
+
+In late November we received multiple security vulnerability reports. They are listed below in order of severity
+where you can also find further notes:
+
+* Open Redirects for logged in users [#4945](https://github.com/Icinga/icingaweb2/issues/4945)
+  This one is quite old, though got worse and easier to exploit since v2.9. It is for this reason that
+  this fix has been backported all the way down to v2.9.8. It can be used to exploit incautious users,
+  no matter their browser and its security settings. They need to click a specifically crafted link
+  (in the easiest form) and log in to Icinga Web by filling in their access credentials. If they're
+  already logged in, (due to an existing session or SSO) the browser prevents the exploit from happening.
+  We encourage you to update to the latest release as soon as possible to mitigate any potential harm.
+
+* SSH Resource Configuration form XSS Bug [#4947](https://github.com/Icinga/icingaweb2/issues/4947)
+  Dashlets allow the user to run Javascript code [#4959](https://github.com/Icinga/icingaweb2/issues/4959)
+  These two are very similar. Both revolve around Javascript getting injected by logged in users
+  interacting with forms. The SSH resource configuration requires configuration access though and, since
+  custom dashlets are only shown to the user who created them, the dashlet configuration cannot affect
+  other users. Note that both interactions cannot be initiated externally by CSRF, the forms are protected
+  against this. Because of this we assess the severity of these two very low.
+
+* Role member suggestion endpoint is reachable for unauthorized users [#4961](https://github.com/Icinga/icingaweb2/issues/4961)
+  This is more a case of missing authorization checks than a full fledged security flaw. But nevertheless,
+  it allows any logged-in user, by use of a manually crafted request, to retrieve the names of all available
+  users and usergroups.
+
+#### The More Usual Dose of Fixes
+
+* Browser print dialog result broken [#4957](https://github.com/Icinga/icingaweb2/issues/4957)
+  If you tried to export a view using the browser's builtin print dialog, (e.g. Ctrl+P) you may have
+  noticed a degradation of fanciness since the update to v2.10. This looks nicer than ever now.
+
+* Shared navigation items are not accessible [#4953](https://github.com/Icinga/icingaweb2/issues/4953)
+  Since v2.11.0 the shared navigation overview hasn't been accessible using the configuration menu.
+  It is now accessible again.
+
+* While using dropdown filter menu it gets closed automatically due to autorefresh [#4942](https://github.com/Icinga/icingaweb2/issues/4942)
+  Are you annoyed by the filter editor repeatedly closing the column selection while you're looking for
+  something? We have you covered with a fix for this and the column selection should stay open as long
+  as you don't click anywhere else.
+
 ### What's New in Version 2.11.2
 
 You can find all issues related to this release on our [Roadmap](https://github.com/Icinga/icingaweb2/milestone/76?closed=1).

VERSION

@@ -1 +1 @@
-v2.11.2
+v2.11.3

library/Icinga/Application/Version.php

@@ -8,7 +8,7 @@
  */
 class Version
 {
-    const VERSION = '2.11.2';
+    const VERSION = '2.11.3';
 
     /**
      * Get the version of this instance of Icinga Web 2

modules/doc/module.info

@@ -1,4 +1,4 @@
 Module: doc
-Version: 2.11.2
+Version: 2.11.3
 Description: Documentation module
  Extracts, shows and exports documentation for Icinga Web 2 and its modules.

modules/migrate/module.info

@@ -1,5 +1,5 @@
 Module: migrate
-Version: 2.11.2
+Version: 2.11.3
 Description: Migrate module
  This module was introduced with the domain-aware authentication feature in version 2.5.0.
  It helps you migrating users and user configurations according to a given domain.

modules/monitoring/module.info

@@ -1,5 +1,5 @@
 Module: monitoring
-Version: 2.11.2
+Version: 2.11.3
 Description: Icinga monitoring module
  IDO accessor and UI for your monitoring. This is the initial instalment for a
  graphical presentation of Icinga environments. The predecessor of Icinga DB.

modules/setup/module.info

@@ -1,5 +1,5 @@
 Module: setup
-Version: 2.11.2
+Version: 2.11.3
 Description: Setup module
  Web based wizard for setting up Icinga Web 2 and its modules.
  This includes the data backends (e.g. relational database, LDAP),

modules/test/module.info

@@ -1,5 +1,5 @@
 Module: test
-Version: 2.11.2
+Version: 2.11.3
 Description: Translation module
  This module allows developers to run (unit) tests against Icinga Web 2 and
  any of its modules. Usually you do not need to enable this.

modules/translation/module.info

@@ -1,5 +1,5 @@
 Module: translation
-Version: 2.11.2
+Version: 2.11.3
 Description: Translation module
  This module allows developers and translators to translate modules for multiple
  languages. You do not need this module to run an internationalized web frontend.