Accepted icinga2 2.6.0-2+deb9u2 (source) into oldoldstable

To: dispatch@tracker.debian.org, debian-lts-changes@lists.debian.org
Subject: Accepted icinga2 2.6.0-2+deb9u2 (source) into oldoldstable
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Wed, 10 Nov 2021 21:20:14 +0000
Message-id: <[🔎] E1mkv0w-0005VV-2A@seger.debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 08 Nov 2021 20:07:42 +0100
Source: icinga2
Binary: icinga2 icinga2-common icinga2-bin icinga2-doc icinga2-classicui icinga2-ido-mysql icinga2-ido-pgsql icinga2-dbg libicinga2 icinga2-studio vim-icinga2
Architecture: source
Version: 2.6.0-2+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
Changed-By: Sylvain Beucler <beuc@debian.org>
Description:
 icinga2    - host and network monitoring system
 icinga2-bin - host and network monitoring system - daemon
 icinga2-classicui - host and network monitoring system - classic UI
 icinga2-common - host and network monitoring system - common files
 icinga2-dbg - host and network monitoring system - debug symbols
 icinga2-doc - host and network monitoring system - documentation
 icinga2-ido-mysql - host and network monitoring system - MySQL support
 icinga2-ido-pgsql - host and network monitoring system - PostgreSQL support
 icinga2-studio - host and network monitoring system - studio API GUI
 libicinga2 - host and network monitoring system - internal libraries
 vim-icinga2 - syntax highlighting for Icinga 2 config files in VIM
Changes:
 icinga2 (2.6.0-2+deb9u2) stretch-security; urgency=high
 .
   * Non-maintainer upload by the LTS Security Team.
   * CVE-2021-32739: a vulnerability exists that may allow privilege
     escalation for authenticated API users. With a read-ony user's
     credentials, an attacker can view most attributes of all config
     objects including `ticket_salt` of `ApiListener`. This salt is enough
     to compute a ticket for every possible common name (CN). A ticket, the
     master node's certificate, and a self-signed certificate are enough to
     successfully request the desired certificate from Icinga. That
     certificate may in turn be used to steal an endpoint or API user's
     identity.
     See also complementary manual procedures:
     https://icinga.com/blog/2021/07/15/releasing-icinga-2-12-5-and-2-11-10/#change-ticket-salt
     https://icinga.com/blog/2021/07/15/releasing-icinga-2-12-5-and-2-11-10/#replace-icinga-ca
   * CVE-2021-32743: some of the Icinga 2 features that require credentials
     for external services expose those credentials through the API to
     authenticated API users with read permissions for the corresponding
     object types. IdoMysqlConnection and IdoPgsqlConnection exposes the
     password of the user used to connect to the database. An attacker who
     obtains these credentials can impersonate Icinga to these services and
     add, modify and delete information there. If credentials with more
     permissions are in use, this increases the impact accordingly.
   * CVE-2021-37698: InfluxdbWriter and Influxdb2Writer do not verify the
     server's certificate despite a certificate authority being
     specified. Icinga 2 instances which connect to any of the mentioned
     time series databases (TSDBs) using TLS over a spoofable
     infrastructure should immediately upgrade. Such instances should also
     change the credentials (if any) used by the TSDB writer feature to
     authenticate against the TSDB.
Checksums-Sha1:
 8d0708f8a12d465b948149a63f2eb2b32ce2e4fd 2955 icinga2_2.6.0-2+deb9u2.dsc
 11a9c29221d865fd2b3de69f4103c2e190d68141 2353930 icinga2_2.6.0.orig.tar.gz
 c74031b7434d3878bf6ce8384c6d741107d6b6ed 35656 icinga2_2.6.0-2+deb9u2.debian.tar.xz
 0ad640d7f199b4b91838bde24c59f668dcc5f8c4 13165 icinga2_2.6.0-2+deb9u2_all.buildinfo
Checksums-Sha256:
 5acdde8cab30c06e3237601e13a86fa7d3c146a0c3d8dd79239bbeaac3c32f63 2955 icinga2_2.6.0-2+deb9u2.dsc
 b04627d7508dda4bb7b75b74501586d34b5d3d8752291c56682ba1137af03270 2353930 icinga2_2.6.0.orig.tar.gz
 4ddbf7fa3fcdf56cd9b907ae14d30c55d8209b9f79a409fcae8d25ef2d6771d4 35656 icinga2_2.6.0-2+deb9u2.debian.tar.xz
 714fd060fd19601d25679f6ca61024dc46a43e4f30d20a31ae8c231adbe011ce 13165 icinga2_2.6.0-2+deb9u2_all.buildinfo
Files:
 f4d7e03339f300a49a4444fa0ae08503 2955 admin extra icinga2_2.6.0-2+deb9u2.dsc
 be7a897088f910069972b0250181ed27 2353930 admin extra icinga2_2.6.0.orig.tar.gz
 8c27d7ec4a33b5997e3c72fa8f7038a6 35656 admin extra icinga2_2.6.0-2+deb9u2.debian.tar.xz
 be2045ee4dd47f549f7aec54ff974508 13165 admin extra icinga2_2.6.0-2+deb9u2_all.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmGMM1cACgkQDTl9HeUl
XjBBqxAAnYBVDyZLrq+y7vHgFpp65oBIFoiWUmELbrV5gnBFPsG9f09IA1Cd8HMl
01qtqnMWlXtm2MJBsCnYPppJimtONjHOBse4XlQ37/zf5hByGf/OXftLy60ngK8D
nx8fF37SamX0Rc3W2KPYwRPd9ipEbbfdqAO3czNrPD0lVlGhzbyBrVEgFAiq5WJW
O2Kwm6igO9Lon/r27bYye+L3mL7bscMygXrrrTQJ6w8Dn3lVBE2YIP6f6HmondyA
HVIIX3oTfccuPRnHdeLHYeMfeSiyH5OdkW8n3tA8ZTTEdr003KC0aefjxTfTuEUn
Okr2QUIKIZG2UQDvpZU8hOjETsE9oafVQbYUxYekCUvT3R7tPHyy1D0ju0kISqUE
HittjN3LzXH4FYPcN98QAOuVBSMDVCU3CHuEZ0sJtfn4TwFWBRG46ut5PNmFeigk
CIV7P7NnYaVxzbWeg+V6Gp3KIGhnn74i0Ew4t3EalddAR/3nNChv5tQs5i/zMHAn
bMxiX1pW6co4RT86xAtlDURzyZ1TkFcTHA5dTanRnQQ0TtF2gRnObGQawWWIt7g+
qUfxhujY+zrB7vEvdR048C9KOwxKyCMOGtkKUewdnaqyfVY97Ba7Lj3Mp6nfhF28
10LNPm1MDhmDYFpgExNEVdw8uNqP4g1nz4eGarvgkKnSYWsvfE4=
=bZev
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: Accepted salt 2016.11.2+ds-1+deb9u7 (source) into oldoldstable
Next by Date: Accepted postgresql-9.6 9.6.24-0+deb9u1 (source) into oldoldstable
Previous by thread: Accepted salt 2016.11.2+ds-1+deb9u7 (source) into oldoldstable
Next by thread: Accepted postgresql-9.6 9.6.24-0+deb9u1 (source) into oldoldstable
Index(es):
- Date
- Thread