Releases: Icinga/icinga2
Icinga 2 v2.12.3
Version 2.12.3 resolves a security vulnerability with revoked certificates being
renewed automatically ignoring the CRL.
This version also resolves issues with high load on Windows regarding the config sync
and not being able to disable/enable Icinga 2 features over the API.
Security
- Fix that revoked certificates due for renewal will automatically be renewed ignoring the CRL (Advisory / CVE-2020-29663)
When a CRL is specified in the ApiListener configuration, Icinga 2 only used it
when connections were established so far, but not when a certificate is requested.
This allows a node to automatically renew a revoked certificate if it meets the
other conditions for auto renewal (issued before 2017 or expires in less than 30 days).
Because Icinga 2 currently (v2.12.3 and earlier) uses a validity duration of 15 years,
this only affects setups with external certificate signing and revoked certificates
that expire in less then 30 days.
Bugfixes
- Improve config sync locking - resolves high load issues on Windows #8511
- Fix runtime config updates being ignored for objects without zone #8549
- Use proper buffer size for OpenSSL error messages #8542
Enhancements
- On checkable recovery: re-check children that have a problem #8506
Icinga 2 v2.11.8
Version 2.11.8 resolves a security vulnerability with revoked certificates being
renewed automatically ignoring the CRL.
This version also resolves issues with high load on Windows regarding the config sync
and not being able to disable/enable Icinga 2 features over the API.
Security
- Fix that revoked certificates due for renewal will automatically be renewed ignoring the CRL (Advisory / CVE-2020-29663)
When a CRL is specified in the ApiListener configuration, Icinga 2 only used it
when connections were established so far, but not when a certificate is requested.
This allows a node to automatically renew a revoked certificate if it meets the
other conditions for auto renewal (issued before 2017 or expires in less than 30 days).
Because Icinga 2 currently (v2.12.3 and earlier) uses a validity duration of 15 years,
this only affects setups with external certificate signing and revoked certificates
that expire in less then 30 days.
Bugfixes
- Improve config sync locking - resolves high load issues on Windows #8510
- Fix runtime config updates being ignored for objects without zone #8550
- Use proper buffer size for OpenSSL error messages #8543
Enhancements
- On checkable recovery: re-check children that have a problem #8560
Icinga 2 v2.12.2
julianbrost
Julian Brost
Version 2.12.2 fixes several issues to improve the reliability of the cluster functionality.
Bugfixes
- Fix a connection leak with misconfigured agents #8483
- Properly sync changes of config objects in global zones done via the API #8474 #8470
- Prevent other clients from being disconnected when replaying the cluster log takes very long #8496
- Avoid duplicate connections between endpoints #8465
- Ignore incoming config object updates for unknown zones #8461
- Check timestamps before removing files in config sync #8495
Enhancements
- Include HTTP status codes in log #8467
Icinga 2 v2.11.7
Version 2.11.7 fixes several issues to improve the reliability of the cluster functionality.
Bugfixes
- Fix a connection leak with misconfigured agents #8482
- Properly sync changes of config objects in global zones done via the API #8473 #8457
- Prevent other clients from being disconnected when replaying the cluster log takes very long #8475
- Avoid duplicate connections between endpoints #8399
- Ignore incoming config object updates for unknown zones #8459
- Check timestamps before removing files in config sync #8486
Enhancements
- Include HTTP status codes in log #8454
Icinga 2 v2.12.1
Al2Klimov
Alexander Aleksandrovič Klimov
This version fixes several crashes, deadlocks and excessive check latencies. It also addresses several bugs regarding IDO, API, notifications and checks.
Bugfixes
- Core
- IDO
- Misc
Icinga 2.11.6
julianbrost
Julian Brost
Version 2.11.6 fixes several crashes, prevents unnecessary notifications and addresses several bugs in IDO and the API.
Bugfixes
- Crashes
- IDO
- API
- Misc
Icinga 2.12.0
Issues and PRs
Blogpost
Upgrading docs
Thanks to all contributors:
Ant1x, azthec, baurmatt, bootc, Foxeronie, ggzengel, islander, joni1993, KAMI911, mcktr, MichalMMac, sebastic, sthen, unki, vigiroux, wopfel
Breaking changes
- Deprecate Windows plugins in favor of our
PowerShell plugins #8071 - Deprecate Livestatus #8051
- Refuse acknowledging an already acknowledged checkable #7695
- Config lexer: complain on EOF in heredocs, i.e.
{{{abc<EOF>#7541
Enhancements
- Core
- API
- Host/Service: Add
acknowledgement_last_changeandnext_updateattributes #7881 #7534 - Improve error message for POST queries #7681
- /v1/actions/remove-comment: let users specify themselves #7646
- /v1/actions/remove-downtime: let users specify themselves #7645
- /v1/config/stages: Add 'activate' parameter #7535
- Host/Service: Add
- CLI
- DSL
- Add
get_template()andget_templates()#7632 MacroProcessor::ResolveArguments(): skip null argument values #7567- Fix crash due to dependency apply rule with
ignore_on_errorand non-existing parent #7538 - Introduce ternary operator (
x ? y : z) #7442 - LegacyTimePeriod: support specifying seconds #7439
- Add support for Lambda Closures (
() use(x) => x and () use(x) => { return x }) #7417
- Add
- ITL
- Docs
- Misc
Bugfixes
- Core
- Cluster
- Fix segfault during heartbeat timeout with clients not yet signed #7970
- Make the config update process mutually exclusive (Prevents file system race conditions) #7936
- Fix
check_timeoutnot being forwarded to agent command endpoints #7861 - Config sync: Use a more friendly message when configs are equal and don't need a reload #7811
- Fix open connections when agent waits for CA approval #7686
- Consider a JsonRpcConnection alive on a single byte of TLS payload, not only on a whole message #7836
- Send JsonRpcConnection heartbeat every 20s instead of 10s #8102
- Use JsonRpcConnection heartbeat only to update connection liveness (m_Seen) #8142
- Fix TLS context not being updated on signed certificate messages on agents #7654
- API
- SELinux
- Windows
- Metrics
- Scripts
- Fix notification scripts to stay compatible with Dash #7706
- Fix bash line continuation in mail-host-notification.sh #7701
- Fix notification scripts string comparison #7647
- Service and host mail-notifications: Add line-breaks to very long output #6822
- Set correct UTF-8 email subject header (RFC1342) #6369
- Misc
- DSL: Fix segfault due to passing null as custom function to
Array#{sort,map,reduce,filter,any,all}()#8053 - CLI:
pki save-cert: allow to specify --key and --cert for backwards compatibility #7995 - Catch exception when trusted cert is not readable during node setup on agent/satellite #7838
- CheckCommand ssl: Fix wrong parameter
-N#7741 - Code quality fixes
- Small documentation fixes
- DSL: Fix segfault due to passing null as custom function to
v2.11.5
Version 2.11.5 fixes file system race conditions
in the config update process occurring in large HA environments
and improves the cluster connection liveness mechanisms.
Bugfixes
- Make the config update process mutually exclusive (Prevents file system race conditions) #8093
- Consider a JsonRpcConnection alive on a single byte of TLS payload, not only on a whole message #8094
- Send JsonRpcConnection heartbeat every 20s instead of 10s #8103
- Use JsonRpcConnection heartbeat only to update connection liveness (m_Seen) #8097
v2.11.4
Version 2.11.4 fixes a crash during a heartbeat timeout with clients not yet signed. It also resolves
an issue with endpoints not reconnecting after a reload/deploy, which caused a lot of UNKNOWN states.
Bugfixes
- Cluster
- Setup
- DSL
- Fix segfault on missing compare function in Array functions (sort, map, reduce, filter, any, all) #8054
v2.12.0-rc1
N-o-X
Noah Hilverling
Changes
Notes
Release blogpost: https://icinga.com/2020/03/16/releasing-icinga-db-v1-0-rc1/
Upgrading docs: https://icinga.com/docs/icinga2/snapshot/doc/16-upgrading-icinga-2/#upgrading-to-v212
Thanks to all contributors: Ant1x, azthec, baurmatt, bootc, Foxeronie, ggzengel, islander, joni1993, KAMI911, mcktr, MichalMMac, sebastic, sthen, unki, vigiroux, wopfel,
Breaking changes
- Refuse acknowledging an already acknowledged checkable #7695
- Config lexer: complain on EOF in heredocs, i.e.
{{{abc<EOF>#7541
Enhancements
- Core
- Implement new database backend: Icinga DB #7571
- API
- Host/Service: Add
acknowledgement_last_changeandnext_updateattributes #7881 #7534 - Improve error message for POST queries #7681
- /v1/actions/remove-comment: let users specify themselves #7646
- /v1/actions/remove-downtime: let users specify themselves #7645
- /v1/config/stages: Add 'activate' parameter #7535
- Host/Service: Add
- CLI
- DSL
- Add
get_template()andget_templates()#7632 MacroProcessor::ResolveArguments(): skip null argument values #7567- Fix crash due to dependency apply rule with
ignore_on_errorand non-existing parent #7538 - Introduce ternary operator (
x ? y : z) #7442 - LegacyTimePeriod: support specifying seconds #7439
- Add support for Lambda Closures (
() use(x) => x and () use(x) => { return x }) #7417
- Add
- ITL
- Docs
- Misc
Bugfixes
- Core
- Cluster
- Fix
check_timeoutnot being forwarded to agent command endpoints #7861 - Config sync: Use a more friendly message when configs are equal and don't need a reload #7811
- Fix open connections when agent waits for CA approval #7686
- Fix TLS context not being updated on signed certificate messages on agents #7654
- Fix
- API
- SELinux
- Windows
- Metrics
- Scripts
- Fix notification scripts to stay compatible with Dash #7706
- Fix bash line continuation in mail-host-notification.sh #7701
- Fix notification scripts string comparison #7647
- Service and host mail-notifications: Add line-breaks to very long output #6822
- Set correct UTF-8 email subject header (RFC1342) #6369
- Misc