Releases: Icinga/icingaweb2
Icinga Web Version 2.9.2
What's New in Version 2.9.2
💡 This is a hotfix release. v2.9.1 included a change that wasn't compatible with PostgreSQL again. This has been fixed in this release. (#4490)
💡 I have included all the v2.9.1 release notes here again, for visibility reasons. So from here on, it's these notes now.
You can find all issues related to v2.9.1 on our Roadmap.
Please make sure to also check the respective upgrading section in the documentation.
This release is accompanied by the minor releases v2.7.6 and v2.8.4 which include the fix for the flattened custom variables.
Pancakes everywhere
One of the security fixes included in v2.7.5, v2.8.3 and v2.9.0 went rampant and let you see similarities between custom
variables and pancakes. These are gone now. Also, the login allowed some users to bake pancakes on their CPUs. However,
we'd still recommend not to. What we do recommend, is to use graphical details to ease recognition. A pancake 🥞 in
performance data labels for example.
- Nested custom variables are flattened #4439
- Disable login orb animation and all orbs for themes #4468
- SVG chart library doesn't process input as UTF-8 #4462
Staying remembered too difficult
We all have sometimes difficulties remembering people we rarely meet. Especially obvious is this on those that slip
through because they don't do the same things we do. With v2.9.0 this has happened for PostgreSQL, PHP v5.6-v7.0 and
setup wizard users. Now they get their deserved attention, and Icinga Web 2 will remember them just like all others.
- RememberMe not working with only PostgreSQL #4441
- RememberMe compatibility with php version 5.6+ #4472
- RememberMe fails after running the wizard for grants #4434
Being picky pays off
A custom datetime picker was introduced with v2.9.0. It had it's issues, but we didn't anticipate that much headwind.
After careful reconsideration, we chose to only show the custom datetime picker for Firefox and IE users. Other browsers
have their own capable enough native implementation which, in Chrome's case, may even be superior. If it is now used,
it also closes automatically and doesn't swallow unrelated key presses.
Icinga Web Version 2.9.1
What's New in Version 2.9.1
You can find all issues related to this release on our Roadmap.
Please make sure to also check the respective upgrading section in the documentation.
This release is accompanied by the minor releases v2.7.6 and v2.8.4 which include the fix for the flattened custom variables.
Pancakes everywhere
One of the security fixes included in v2.7.5, v2.8.3 and v2.9.0 went rampant and let you see similarities between custom
variables and pancakes. These are gone now. Also, the login allowed some users to bake pancakes on their CPUs. However,
we'd still recommend not to. What we do recommend, is to use graphical details to ease recognition. A pancake 🥞 in
performance data labels for example.
- Nested custom variables are flattened #4439
- Disable login orb animation and all orbs for themes #4468
- SVG chart library doesn't process input as UTF-8 #4462
Staying remembered too difficult
We all have sometimes difficulties remembering people we rarely meet. Especially obvious is this on those that slip
through because they don't do the same things we do. With v2.9.0 this has happened for PostgreSQL, PHP v5.6-v7.0 and
setup wizard users. Now they get their deserved attention, and Icinga Web 2 will remember them just like all others.
- RememberMe not working with only PostgreSQL #4441
- RememberMe compatibility with php version 5.6+ #4472
- RememberMe fails after running the wizard for grants #4434
Being picky pays off
A custom datetime picker was introduced with v2.9.0. It had it's issues, but we didn't anticipate that much headwind.
After careful reconsideration, we chose to only show the custom datetime picker for Firefox and IE users. Other browsers
have their own capable enough native implementation which, in Chrome's case, may even be superior. If it is now used,
it also closes automatically and doesn't swallow unrelated key presses.
Icinga Web 2 Version 2.8.4
What's New in Version 2.8.4
This release only contains a single fix for flattened custom variables. #4439
Icinga Web 2 Version 2.7.6
What's New in Version 2.7.6
This release only contains a single fix for flattened custom variables. #4439
Icinga Web Version 2.9.0
What's New in Version 2.9.0
You can find all issues related to this release on our Roadmap.
Please make sure to also check the respective upgrading section in the documentation.
This release is accompanied by the minor releases v2.7.5 and v2.8.3 which include the security fixes mentioned below.
Icinga DB
We continue our endeavour soon. Icinga Web 2 is still a crucial part of it and this update is again required
for Icinga DB. If you like to participate again, don't forget to update Icinga Web 2 as well.
Security Fixes
This release includes two security related fixes. Both were published as part of a security advisory on Github.
They allow the circumvention of custom variable protection rules and blacklists as well as a path traversal if
the doc module is enabled. Please check the respective advisory for details.
- Custom variable protection and blacklists can be circumvented GHSA-2xv9-886q-p7xx
- Possible path traversal by use of the
docmodule GHSA-cmgc-h4cx-3v43
RBAC, The Elephant In Icinga Web 2
Role Based Access Control, for the non-initiated. I'll make it short: Permission refusals, Role inheritance,
Privilege Audit. Icinga DB will also solve the long-standing issue #2455 and also allows #3349 and #3550.
I've also written a blog post about this very topic: https://icinga.com/blog/2021/04/07/web-access-control-redefined/
- Authorization enhancements #4306
- Audit View #4336
- Highlight modules with permissions set inside a role #4241
Support for PHP 8
PHP 8 is released and with Icinga Web 2.9 it will now (hopefully) work flawlessly. We also took the chance
to prepare to drop the support of some legacy PHP versions. We now require PHP 7.3 at a minimum and all
versions below that will not be supported anymore with the release of v2.11.
Stay, Be Remembered
Have you ever been disappointed that Icinga Web 2 always forgets you after closing your browser? This is in
your hands now! Just tick the new checkbox on the login screen and Icinga Web 2 doesn't forget your presence
anymore. Unless of course the administrator or you on a different device clears your session.
- Implement a "remember me" feature #2495
It Does Matter, When
Browsers are bad when it's about date and time inputs. (I'm looking at you Mozilla!) Now we've given our hopes
up and use a specifically invented solution to show you a date and time picker throughout every browser. With
Icinga v2.13 onwards you will also be able to use this when defining an expiry date for comments! Though, you
might not necessarily use it that often once you've configured new custom defaults for downtime endings.
Icinga Web 2 Version 2.8.3
What's New in Version 2.8.3
Notice: This is a security release. It is recommended to upgrade to this release if you don't plan to upgrade to v2.9.0.
You can find all fixes related to this release on our Project.
Security Fixes
This release includes two security related fixes. Both were published as part of a security advisory on Github.
They allow the circumvention of custom variable protection rules and blacklists as well as a path traversal if
the doc module is enabled. Please check the respective advisory for details.
- Custom variable protection and blacklists can be circumvented GHSA-2xv9-886q-p7xx
- Possible path traversal by use of the
docmodule GHSA-cmgc-h4cx-3v43
Icinga Web 2 Version 2.7.5
What's New in Version 2.7.5
Notice: This is a security release. It is recommended to upgrade to this release if you don't plan to upgrade to v2.9.0.
You can find all fixes related to this release on our Project.
Security Fixes
This release includes two security related fixes. Both were published as part of a security advisory on Github.
They allow the circumvention of custom variable protection rules and blacklists as well as a path traversal if
the doc module is enabled. Please check the respective advisory for details.
- Custom variable protection and blacklists can be circumvented GHSA-2xv9-886q-p7xx
- Possible path traversal by use of the
docmodule GHSA-cmgc-h4cx-3v43
Icinga Web 2 v2.8.2
What's New in Version 2.8.2
Notice: This is a security release. It is recommended to immediately upgrade to this release.
You can find all issues related to this release on the respective milestone.
Path Traversal Vulnerability
The vulnerability in question allows an attacker to access arbitrary files which are readable by the process running Icinga Web 2. Technical details can be found at the corresponding CVE-2020-24368 and in the issue below.
- Possible path traversal when serving static image files #4226
Broken Negated Filters with PostgreSQL
We've also included a small non-security related fix. Searching for e.g. servicegroup!=support leads to an error instead of the desired result when using a PostgreSQL database.
- Single negated membership filter fails with PostgreSQL #4196
Icinga Web 2 Version 2.7.4
What's New in Version 2.7.4
Notice: This is a security release. It is recommended to immediately upgrade to this release.
Path Traversal Vulnerability
The vulnerability in question allows an attacker to access arbitrary files which are readable by the process running Icinga Web 2. Technical details can be found at the corresponding CVE-2020-24368 and in the issue below.
- Possible path traversal when serving static image files #4226
Upgrading from 2.7.x
RHEL/SLES:
yum install icingaweb2*2.7.4 icingacli-2.7.4 php-Icinga-2.7.4
Debian/Ubuntu:
apt-get upgrade icingaweb2=2.7.4-1.* icingaweb2-common=2.7.4-1.* php-icinga=2.7.4-1.*
Icinga Web 2 Version 2.6.4
What's New in Version 2.6.4
Notice: This is a security release. It is recommended to immediately upgrade to this release.
Path Traversal Vulnerability
The vulnerability in question allows an attacker to access arbitrary files which are readable by the process running Icinga Web 2. Technical details can be found at the corresponding CVE-2020-24368 and in the issue below.
- Possible path traversal when serving static image files #4226
Upgrading from 2.6.x
RHEL/SLES:
yum install icingaweb2*2.6.4 icingacli-2.6.4 php-Icinga-2.6.4
Debian/Ubuntu:
apt-get upgrade icingaweb2=2.6.4-1.* icingaweb2-common=2.6.4-1.* php-icinga=2.6.4-1.*