Releases: Icinga/icingaweb2
Icinga Web Version 2.12.1
What's New in Version 2.12.1
You can find all issues related to this release on our Roadmap.
PHP 8.3 Support
This time we're a little ahead for once. PHP 8.3 is due in a week, and we are compatible with it now! There's not much else to say about it, so let's continue with the fixes.
- Support for PHP 8.3 #5136
Fixes
You may have noticed a dashboard endlessly loading in the morning after you got to work again. The web server may also have stopped that with a complaint about a too long URL. This is now fixed and the dashboard should appear as usual. Then there was an issue with our support for PostgreSQL. We learned it the hard way to avoid such already in the past again and again. Though, this one slipped through our thorough testing and prevented some from successfully migrating the database schema. It's fixed now. Another fixed issue, is that the UI looks somewhat skewed if you have CSP enabled and logged out and in again.
Icinga Web Version 2.12.0
What's New in Version 2.12.0
You can find all issues related to this release on our Roadmap.
PHP 8.2 Support
This release finally adds support for the latest version of PHP, 8.2. This means that installations on Debian Bookworm, Ubuntu 23.10 and Fedora 38+ can now install Icinga Web without worrying about PHP related incompatibilities. Some of our other modules still require an update, which they will receive in the coming weeks. Next week Icinga DB Web will follow. Icinga Certificate Monitoring, Icinga Business Process Modeling and Icinga Reporting the weeks after.
- Support for PHP 8.2 #4918
Simplified Database Migrations
Anyone who already performed an upgrade of Icinga Web or some Icinga Web module in the past has done it: A database schema upgrade. This usually involved the following steps:
- Knowing that a database might need an upgrade
- Figuring out if that's true, by checking the upgrade documentation
- Alternatively relying on the users to find out about it as they're running into database errors
- Locating the upgrade file
- Connecting to the machine the database is running on
- Transferring the upgrade file over
- Importing the upgrade file into the correct database
With Icinga Web v2.12 and later, upgrade the application and, yes, still check the upgrade documentation. That's still mandatory! But if you notice there, that just a database upgrade is necessary you can simply log in and check the Migrations section in the System menu. With a single additional click you can perform the database upgrade directly in the UI then. This view also offers to migrate module databases. The earlier mentioned updates of Icinga Certificate Monitoring and Icinga Reporting will pop up there once they arrive.
- Provide a way to easily perform database migrations #5043
Content-Security-Policy Conformance
Err, what? That's an HTTP header to prevent cross site scripting attacks. (XSS) Still confused? It's a technique to stop bad individuals. A very effective technique even. You don't need to do anything, other than visiting the general configuration of Icinga Web and enabling the respective setting. The only downer here, is that support for it isn't as widespread yet as you might hope. Icinga Web itself of course has it, but not all modules. But don't worry, you might have guessed it already, those are the same modules which will receive updates in the coming weeks.
- Support for Content-Security-Policy #4528
Other Notable Changes
There are not only such big changes as previously mentioned part of this release.
Some module developers may be happy to hear that there is now more control for the server over the UI possible. And with a new Javascript event it is now possible to react upon a column's content being moved to another column. Now built-in into the framework is also an easy way to mark content in the UI as being copiable with a single click by the user.
- Allow to initiate a refresh with
__REFRESH__#5108 - Don't refresh twice upon
__CLOSE__#5106 - Add event
column-moved#5049 - Add copy-to-clipboard behavior #5041
Then there are some fixes related to other integrations. It is now possible to set up resources for Oracle databases, without a host setting, which facilitate dynamic host name resolution. A part of the monitoring module's integration into the Icinga Certificate Monitoring prevents a crash of its collector daemon in case the connection to the IDO was interrupted. And exported content, with data that has double quotes, to CSV is now correctly escaped.
Icinga Web Version 2.11.4
What's New in Version 2.11.4
You can find all issues related to this release on our Roadmap.
Notable Fixes
- Add/Edit dashlet not possible #4970
- Custom library path + custom library, without slash in its name, results in exception #4971
- Reflected XSS vulnerability in User Backends config page #4979
Changes in Packaging
- The location of schema files has changed. Upgrade scripts, for example, can be found at /usr/share/icingaweb2/schema/-upgrades/. Older versions install these files to /usr/share/doc/icingaweb2/schema/-upgrades/ for RPM-based systems and /usr/share/icingaweb2/etc/schema/*-upgrades/ for Debian or Ubuntu.
Icinga Web Version 2.10.5
What's New in Version 2.10.5
Please see the release notes for v2.11.4 for details.
Icinga Web Version 2.9.9
What's New in Version 2.9.9
Please see the release notes for v2.11.4 for details.
Icinga Web Version 2.11.3
What's New in Version 2.11.3
Notice: This is a security release. It is recommended to upgrade immediately.
You can find all issues related to this release on our Roadmap.
Minor to Medium Vulnerabilities
In late November we received multiple security vulnerability reports. They are listed below in order of severity where you can also find further notes:
-
Open Redirects for logged in users #4945
This one is quite old, though got worse and easier to exploit since v2.9. It is for this reason that this fix has been backported all the way down to v2.9.8. It can be used to exploit incautious users, no matter their browser and its security settings. They need to click a specifically crafted link (in the easiest form) and log in to Icinga Web by filling in their access credentials. If they're already logged in, (due to an existing session or SSO) the browser prevents the exploit from happening. We encourage you to update to the latest release as soon as possible to mitigate any potential harm. -
SSH Resource Configuration form XSS Bug #4947
Dashlets allow the user to run Javascript code #4959
These two are very similar. Both revolve around Javascript getting injected by logged in users interacting with forms. The SSH resource configuration requires configuration access though and, since custom dashlets are only shown to the user who created them, the dashlet configuration cannot affect other users. Note that both interactions cannot be initiated externally by CSRF, the forms are protected against this. Because of this we assess the severity of these two very low. -
Role member suggestion endpoint is reachable for unauthorized users #4961
This is more a case of missing authorization checks than a full fledged security flaw. But nevertheless, it allows any logged-in user, by use of a manually crafted request, to retrieve the names of all available users and usergroups.
The More Usual Dose of Fixes
-
Browser print dialog result broken #4957
If you tried to export a view using the browser's builtin print dialog, (e.g. Ctrl+P) you may have noticed a degradation of fanciness since the update to v2.10. This looks nicer than ever now. -
Shared navigation items are not accessible #4953
Since v2.11.0 the shared navigation overview hasn't been accessible using the configuration menu. It is now accessible again. -
While using dropdown filter menu it gets closed automatically due to autorefresh #4942
Are you annoyed by the filter editor repeatedly closing the column selection while you're looking for something? We have you covered with a fix for this and the column selection should stay open as long as you don't click anywhere else.
Icinga Web Version 2.10.4
What's New in Version 2.10.4
Notice: This is a security release. It is recommended to upgrade immediately.
Please see the release notes for v2.11.3 for details.
Icinga Web Version 2.9.8
What's New in Version 2.9.8
Notice: This is a security release. It is recommended to upgrade immediately.
Please see the release notes for v2.11.3 for details.
Icinga Web Version 2.11.2
What's New in Version 2.11.2
You can find all issues related to this release on our Roadmap.
It brings performance improvements and general fixes. Most notable of which are that having e.g. notifications disabled globally is now visible in the menu again and that the event history is grouped by days again.