From 27dc5f5e32f035bae6d3e84b40838de0d2bc1676 Mon Sep 17 00:00:00 2001 From: Johannes Meyer Date: Thu, 8 Dec 2022 11:49:23 +0100 Subject: [PATCH 1/3] Update AUTHORS --- AUTHORS | 1 + 1 file changed, 1 insertion(+) diff --git a/AUTHORS b/AUTHORS index 99aff2f8b7..6e7fa97e14 100644 --- a/AUTHORS +++ b/AUTHORS @@ -91,6 +91,7 @@ Mikesch-mp Mikko Peltokangas moreamazingnick mrdsam <69315803+mrdsam@users.noreply.github.com> +mrzo2s45 Munzir Taha Nicolai Buchwitz Niko Martini From 5ae72c792c0ce6bbf40208d09360e34d3e1f93ae Mon Sep 17 00:00:00 2001 From: Johannes Meyer Date: Tue, 13 Dec 2022 08:59:38 +0100 Subject: [PATCH 2/3] Update CHANGELOG.md --- CHANGELOG.md | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1ff5b5eff0..4060dd191a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,53 @@ Please make sure to always read our [Upgrading](doc/80-Upgrading.md) documentati ## What's New +### What's New in Version 2.11.3 + +**Notice**: This is a security release. It is recommended to upgrade immediately. + +You can find all issues related to this release on our [Roadmap](https://github.com/Icinga/icingaweb2/milestone/77?closed=1). + +#### Minor to Medium Vulnerabilities + +In late November we received multiple security vulnerability reports. They are listed below in order of severity +where you can also find further notes: + +* Open Redirects for logged in users [#4945](https://github.com/Icinga/icingaweb2/issues/4945) + This one is quite old, though got worse and easier to exploit since v2.9. It is for this reason that + this fix has been backported all the way down to v2.9.8. It can be used to exploit incautious users, + no matter their browser and its security settings. They need to click a specifically crafted link + (in the easiest form) and log in to Icinga Web by filling in their access credentials. If they're + already logged in, (due to an existing session or SSO) the browser prevents the exploit from happening. + We encourage you to update to the latest release as soon as possible to mitigate any potential harm. + +* SSH Resource Configuration form XSS Bug [#4947](https://github.com/Icinga/icingaweb2/issues/4947) + Dashlets allow the user to run Javascript code [#4959](https://github.com/Icinga/icingaweb2/issues/4959) + These two are very similar. Both revolve around Javascript getting injected by logged in users + interacting with forms. The SSH resource configuration requires configuration access though and, since + custom dashlets are only shown to the user who created them, the dashlet configuration cannot affect + other users. Note that both interactions cannot be initiated externally by CSRF, the forms are protected + against this. Because of this we assess the severity of these two very low. + +* Role member suggestion endpoint is reachable for unauthorized users [#4961](https://github.com/Icinga/icingaweb2/issues/4961) + This is more a case of missing authorization checks than a full fledged security flaw. But nevertheless, + it allows any logged-in user, by use of a manually crafted request, to retrieve the names of all available + users and usergroups. + +#### The More Usual Dose of Fixes + +* Browser print dialog result broken [#4957](https://github.com/Icinga/icingaweb2/issues/4957) + If you tried to export a view using the browser's builtin print dialog, (e.g. Ctrl+P) you may have + noticed a degradation of fanciness since the update to v2.10. This looks nicer than ever now. + +* Shared navigation items are not accessible [#4953](https://github.com/Icinga/icingaweb2/issues/4953) + Since v2.11.0 the shared navigation overview hasn't been accessible using the configuration menu. + It is now accessible again. + +* While using dropdown filter menu it gets closed automatically due to autorefresh [#4942](https://github.com/Icinga/icingaweb2/issues/4942) + Are you annoyed by the filter editor repeatedly closing the column selection while you're looking for + something? We have you covered with a fix for this and the column selection should stay open as long + as you don't click anywhere else. + ### What's New in Version 2.11.2 You can find all issues related to this release on our [Roadmap](https://github.com/Icinga/icingaweb2/milestone/76?closed=1). From d0a83a646c7ec73c5da6f03111eef103455f236a Mon Sep 17 00:00:00 2001 From: Johannes Meyer Date: Tue, 13 Dec 2022 09:00:12 +0100 Subject: [PATCH 3/3] Release version 2.11.3 --- VERSION | 2 +- library/Icinga/Application/Version.php | 2 +- modules/doc/module.info | 2 +- modules/migrate/module.info | 2 +- modules/monitoring/module.info | 2 +- modules/setup/module.info | 2 +- modules/test/module.info | 2 +- modules/translation/module.info | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/VERSION b/VERSION index 49f8cce5ac..fb25671806 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -v2.11.2 +v2.11.3 diff --git a/library/Icinga/Application/Version.php b/library/Icinga/Application/Version.php index 55a0dee4dc..e617f906ea 100644 --- a/library/Icinga/Application/Version.php +++ b/library/Icinga/Application/Version.php @@ -8,7 +8,7 @@ */ class Version { - const VERSION = '2.11.2'; + const VERSION = '2.11.3'; /** * Get the version of this instance of Icinga Web 2 diff --git a/modules/doc/module.info b/modules/doc/module.info index bafe26fb5a..0a59980e13 100644 --- a/modules/doc/module.info +++ b/modules/doc/module.info @@ -1,4 +1,4 @@ Module: doc -Version: 2.11.2 +Version: 2.11.3 Description: Documentation module Extracts, shows and exports documentation for Icinga Web 2 and its modules. diff --git a/modules/migrate/module.info b/modules/migrate/module.info index ebae68a6a3..9c2040e13f 100644 --- a/modules/migrate/module.info +++ b/modules/migrate/module.info @@ -1,5 +1,5 @@ Module: migrate -Version: 2.11.2 +Version: 2.11.3 Description: Migrate module This module was introduced with the domain-aware authentication feature in version 2.5.0. It helps you migrating users and user configurations according to a given domain. diff --git a/modules/monitoring/module.info b/modules/monitoring/module.info index eb5fd99512..e87884c1e8 100644 --- a/modules/monitoring/module.info +++ b/modules/monitoring/module.info @@ -1,5 +1,5 @@ Module: monitoring -Version: 2.11.2 +Version: 2.11.3 Description: Icinga monitoring module IDO accessor and UI for your monitoring. This is the initial instalment for a graphical presentation of Icinga environments. The predecessor of Icinga DB. diff --git a/modules/setup/module.info b/modules/setup/module.info index 5db2daa77f..00bade40e7 100644 --- a/modules/setup/module.info +++ b/modules/setup/module.info @@ -1,5 +1,5 @@ Module: setup -Version: 2.11.2 +Version: 2.11.3 Description: Setup module Web based wizard for setting up Icinga Web 2 and its modules. This includes the data backends (e.g. relational database, LDAP), diff --git a/modules/test/module.info b/modules/test/module.info index fbbae36247..4c6b1113e4 100644 --- a/modules/test/module.info +++ b/modules/test/module.info @@ -1,5 +1,5 @@ Module: test -Version: 2.11.2 +Version: 2.11.3 Description: Translation module This module allows developers to run (unit) tests against Icinga Web 2 and any of its modules. Usually you do not need to enable this. diff --git a/modules/translation/module.info b/modules/translation/module.info index c3541c4131..24ccb125c9 100644 --- a/modules/translation/module.info +++ b/modules/translation/module.info @@ -1,5 +1,5 @@ Module: translation -Version: 2.11.2 +Version: 2.11.3 Description: Translation module This module allows developers and translators to translate modules for multiple languages. You do not need this module to run an internationalized web frontend.