Hi,Sorry to be annoying here, but I just discovered that the stable version ist still vulnerable.
On Fri, 15 Nov 2024 05:12:08 +0100 Sebastiaan Couwenberg <sebas...@xs4all.nl> wrote:
On 11/14/24 9:05 PM, Louis-Philippe Véronneau wrote: > I think this bug should be reopen and a security upload should be made ASAP to fix this critical issue. It's not that critical, to quote the security tracker: " [bookworm] - icinga2 <no-dsa> (Will be fixed via point release; Only affects deployments with access to Icinga API via client certificates) "
The security tracker is wrong here, this bug affects (in all likelyhood) many if not most Icinga setups.
Any setup where the Icinga2 API is exposed to the network is vulnerable,there is no need for an explicit API user with client certificates configured. Icinga 2 uses the same authentication mechanism for communication in a Icinga setup, meaning between different nodes (Icinga 2 instances, satellites/agents) and it uses Ceritificate based authentication for that.[0][1]
I just wanted to put some weight on the significance of this problem
The bookworm-pu has been submitted: https://bugs.debian.org/1087411 You can build the bookworm branch yourself if you want to deploy the fix sooner: https://salsa.debian.org/nagios-team/icinga2/-/tree/bookworm?ref_type=heads Kind Regards, Bas
Kind regards Lorenz Kästle [0] https://icinga.com/blog/critical-icinga-2-security-releases-2-14-3/[1] https://icinga.com/blog/uncovering-a-client-certificate-verification-bypass-in-icinga/
OpenPGP_signature.asc
Description: OpenPGP digital signature
