Skip to content

Releases: Icinga/icingaweb2

Icinga Web Version 2.12.2

13 Nov 11:31
v2.12.2
7f9217b
Compare
Choose a tag to compare

What's New in Version 2.12.2

You can find all issues related to this release on our Roadmap.

General Fixes

Icinga Web has become quite mature over the years. Typically, only new features cause issues and require fixing. However, there is always an exception to every rule, as shown by the issue where roles were not sorted by name. We also improved the settings menu — the one that opens when hovering over the cog icon next to your name. We heard your feedback about it closing too easily and made it more user-friendly. With v2.12.0, we introduced a new security feature, the Content-Security-Policy header, which is designed to prevent cross-site scripting attacks. Ironically, we initially forgot to include the script-src policy in it.

  • Sort by name of roles does not work properly #4789
  • Settings menu flyout closes too fast / easy #5196
  • CSP header is missing the script-src policy #5180

Love For an Old Fellow

The monitoring module has been part of Icinga Web from the very beginning. Although it’s being replaced by Icinga DB Web, some of you still rely on it, which is why we continue to fix issues — even if they’re not entirely our responsibility, as the first example demonstrates. This particular issue only affects users on PHP 8.1 (> .24). The second issue, introduced by a contribution in v2.12.0, caused some history entries to disappear but was resolved with another contribution — a great example of teamwork. The third issue is also a testament to the module's age: Icinga 2 has automatically removed child downtimes since v2.13.0, and this is now accounted for in the module as well.

  • Broken event overview due to IntlDateFormatter #5172
  • Downtimes, which were started and canceled, are missing in the history #5176
  • Usage of IcingaWeb2 api command returns 404, but is successful #5183

Awesome Customizations

Many of you have already tried Icinga DB Web and might have noticed it uses slightly different icons for its sidebar entries. These icons are provided by Font Awesome, and now you can use them as well. Just find a suitable icon on their website and prefix its name with fa-. If you hadn’t used an icon at all for a menu item and upgraded to Icinga DB Web, opening it will no longer result in an error. Lastly, a particularly tricky issue caused the dashboard to display dashlets twice and prevented their deletion. This should be fixed now — fingers crossed!

  • Allow fontawesome icons as menu items #5205
  • Error while opening a navigation root item #5177
  • Dashlets twice in dashboard & not deletable #5203

Framework Enhancements

Those of you who take customization to the next level will be glad to hear that hooking into the rendering of plugin output is now easier, as the first line and long output are now combined when passed to the renderer. Anyone using the Icinga Web Graphite Integration may be familiar with this issue and will be relieved to know that graphs no longer disappear when using graph controls. And finally, a new release for Icinga Director is coming next week, which will hook into the rendering of custom variables. This feature has been available since Icinga Web v2.10.0, but it’s now slightly improved.

  • PluginOutputRenderer gets called twice #5271
  • Graphs disappear after form controls are used #4996
  • Make subgroups of custom variables fully collapsible #5256

Icinga Web Version 2.12.1

16 Nov 11:00
v2.12.1
cd2daeb
Compare
Choose a tag to compare

What's New in Version 2.12.1

You can find all issues related to this release on our Roadmap.

PHP 8.3 Support

This time we're a little ahead for once. PHP 8.3 is due in a week, and we are compatible with it now! There's not much else to say about it, so let's continue with the fixes.

  • Support for PHP 8.3 #5136

Fixes

You may have noticed a dashboard endlessly loading in the morning after you got to work again. The web server may also have stopped that with a complaint about a too long URL. This is now fixed and the dashboard should appear as usual. Then there was an issue with our support for PostgreSQL. We learned it the hard way to avoid such already in the past again and again. Though, this one slipped through our thorough testing and prevented some from successfully migrating the database schema. It's fixed now. Another fixed issue, is that the UI looks somewhat skewed if you have CSP enabled and logged out and in again.

  • Login Redirect Loop #5133
  • UI database migration not fully compatible with PostgreSQL #5129
  • Missing styles when logging out and in while CSP is enabled #5126

Icinga Web Version 2.12.0

21 Sep 14:46
v2.12.0
7cd79a5
Compare
Choose a tag to compare

What's New in Version 2.12.0

You can find all issues related to this release on our Roadmap.

PHP 8.2 Support

This release finally adds support for the latest version of PHP, 8.2. This means that installations on Debian Bookworm, Ubuntu 23.10 and Fedora 38+ can now install Icinga Web without worrying about PHP related incompatibilities. Some of our other modules still require an update, which they will receive in the coming weeks. Next week Icinga DB Web will follow. Icinga Certificate Monitoring, Icinga Business Process Modeling and Icinga Reporting the weeks after.

  • Support for PHP 8.2 #4918

Simplified Database Migrations

Anyone who already performed an upgrade of Icinga Web or some Icinga Web module in the past has done it: A database schema upgrade. This usually involved the following steps:

  • Knowing that a database might need an upgrade
  • Figuring out if that's true, by checking the upgrade documentation
  • Alternatively relying on the users to find out about it as they're running into database errors
  • Locating the upgrade file
  • Connecting to the machine the database is running on
  • Transferring the upgrade file over
  • Importing the upgrade file into the correct database

With Icinga Web v2.12 and later, upgrade the application and, yes, still check the upgrade documentation. That's still mandatory! But if you notice there, that just a database upgrade is necessary you can simply log in and check the Migrations section in the System menu. With a single additional click you can perform the database upgrade directly in the UI then. This view also offers to migrate module databases. The earlier mentioned updates of Icinga Certificate Monitoring and Icinga Reporting will pop up there once they arrive.

  • Provide a way to easily perform database migrations #5043

Content-Security-Policy Conformance

Err, what? That's an HTTP header to prevent cross site scripting attacks. (XSS) Still confused? It's a technique to stop bad individuals. A very effective technique even. You don't need to do anything, other than visiting the general configuration of Icinga Web and enabling the respective setting. The only downer here, is that support for it isn't as widespread yet as you might hope. Icinga Web itself of course has it, but not all modules. But don't worry, you might have guessed it already, those are the same modules which will receive updates in the coming weeks.

  • Support for Content-Security-Policy #4528

Other Notable Changes

There are not only such big changes as previously mentioned part of this release.

Some module developers may be happy to hear that there is now more control for the server over the UI possible. And with a new Javascript event it is now possible to react upon a column's content being moved to another column. Now built-in into the framework is also an easy way to mark content in the UI as being copiable with a single click by the user.

  • Allow to initiate a refresh with __REFRESH__ #5108
  • Don't refresh twice upon __CLOSE__ #5106
  • Add event column-moved #5049
  • Add copy-to-clipboard behavior #5041

Then there are some fixes related to other integrations. It is now possible to set up resources for Oracle databases, without a host setting, which facilitate dynamic host name resolution. A part of the monitoring module's integration into the Icinga Certificate Monitoring prevents a crash of its collector daemon in case the connection to the IDO was interrupted. And exported content, with data that has double quotes, to CSV is now correctly escaped.

  • Access Oracle Database via tnsnames.ora / LDAP Naming Services #5062
  • Reduce risk of crashing the x509 collector daemon #5115
  • CSV export does not escape double quotes #4910

Icinga Web Version 2.11.4

26 Jan 14:50
v2.11.4
Compare
Choose a tag to compare

What's New in Version 2.11.4

You can find all issues related to this release on our Roadmap.

Notable Fixes

  • Add/Edit dashlet not possible #4970
  • Custom library path + custom library, without slash in its name, results in exception #4971
  • Reflected XSS vulnerability in User Backends config page #4979

Changes in Packaging

  • The location of schema files has changed. Upgrade scripts, for example, can be found at /usr/share/icingaweb2/schema/-upgrades/. Older versions install these files to /usr/share/doc/icingaweb2/schema/-upgrades/ for RPM-based systems and /usr/share/icingaweb2/etc/schema/*-upgrades/ for Debian or Ubuntu.

Icinga Web Version 2.10.5

26 Jan 14:50
v2.10.5
Compare
Choose a tag to compare

What's New in Version 2.10.5

Please see the release notes for v2.11.4 for details.

Icinga Web Version 2.9.9

26 Jan 14:50
v2.9.9
Compare
Choose a tag to compare

What's New in Version 2.9.9

Please see the release notes for v2.11.4 for details.

Icinga Web Version 2.11.3

14 Dec 14:04
v2.11.3
Compare
Choose a tag to compare

What's New in Version 2.11.3

Notice: This is a security release. It is recommended to upgrade immediately.

You can find all issues related to this release on our Roadmap.

Minor to Medium Vulnerabilities

In late November we received multiple security vulnerability reports. They are listed below in order of severity where you can also find further notes:

  • Open Redirects for logged in users #4945
    This one is quite old, though got worse and easier to exploit since v2.9. It is for this reason that this fix has been backported all the way down to v2.9.8. It can be used to exploit incautious users, no matter their browser and its security settings. They need to click a specifically crafted link (in the easiest form) and log in to Icinga Web by filling in their access credentials. If they're already logged in, (due to an existing session or SSO) the browser prevents the exploit from happening. We encourage you to update to the latest release as soon as possible to mitigate any potential harm.

  • SSH Resource Configuration form XSS Bug #4947
    Dashlets allow the user to run Javascript code #4959
    These two are very similar. Both revolve around Javascript getting injected by logged in users interacting with forms. The SSH resource configuration requires configuration access though and, since custom dashlets are only shown to the user who created them, the dashlet configuration cannot affect other users. Note that both interactions cannot be initiated externally by CSRF, the forms are protected against this. Because of this we assess the severity of these two very low.

  • Role member suggestion endpoint is reachable for unauthorized users #4961
    This is more a case of missing authorization checks than a full fledged security flaw. But nevertheless, it allows any logged-in user, by use of a manually crafted request, to retrieve the names of all available users and usergroups.

The More Usual Dose of Fixes

  • Browser print dialog result broken #4957
    If you tried to export a view using the browser's builtin print dialog, (e.g. Ctrl+P) you may have noticed a degradation of fanciness since the update to v2.10. This looks nicer than ever now.

  • Shared navigation items are not accessible #4953
    Since v2.11.0 the shared navigation overview hasn't been accessible using the configuration menu. It is now accessible again.

  • While using dropdown filter menu it gets closed automatically due to autorefresh #4942
    Are you annoyed by the filter editor repeatedly closing the column selection while you're looking for something? We have you covered with a fix for this and the column selection should stay open as long as you don't click anywhere else.

Icinga Web Version 2.10.4

14 Dec 14:04
v2.10.4
Compare
Choose a tag to compare

What's New in Version 2.10.4

Notice: This is a security release. It is recommended to upgrade immediately.

Please see the release notes for v2.11.3 for details.

Icinga Web Version 2.9.8

14 Dec 14:03
v2.9.8
Compare
Choose a tag to compare

What's New in Version 2.9.8

Notice: This is a security release. It is recommended to upgrade immediately.

Please see the release notes for v2.11.3 for details.

Icinga Web Version 2.11.2

08 Nov 09:05
v2.11.2
Compare
Choose a tag to compare

What's New in Version 2.11.2

You can find all issues related to this release on our Roadmap.

It brings performance improvements and general fixes. Most notable of which are that having e.g. notifications disabled globally is now visible in the menu again and that the event history is grouped by days again.