Your message dated Tue, 12 Nov 2024 18:19:40 +0000
with message-id <e1tavuk-007hjd...@fasolo.debian.org>
and subject line Bug#1087384: fixed in icinga2 2.14.3-1
has caused the Debian Bug report #1087384,
regarding CVE-2024-49369: Security: fix TLS certificate validation bypass.
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1087384: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087384
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: icinga2
Version: 2.14.2-1
Severity: grave
Tags: upstream security
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
Dear Maintainer,
I'm pretty sure you're aware, nevertheless here is the but report:
https://icinga.com/blog/2024/11/12/critical-icinga-2-security-releases-2-14-3/
Today, we are releasing security updates for Icinga 2 fixing a
critical vulnerability that allowed to bypass the certificate
validation for JSON-RPC and HTTP API connections.
Impact
The TLS certificate validation in all Icinga 2 versions starting
from 2.4.0 was flawed, allowing an attacker to impersonate both
trusted cluster nodes as well as any API users that use TLS
client certificates for authentication (ApiUser objects with the
client_cn attribute set).
By impersonating a trusted cluster node like a master or satellite,
an attacker can supply a malicious configuration update to other
nodes (if the accept_config attribute of the ApiListener object is
set to true) or instruct the other node to execute malicious commands
directly (if the accept_commands attribute of the ApiListener object
is set to true). These attributes are expected to be set in most
distributed installations, but in case they are not, an attacker
can still retrieve potentially sensitive information.
When impersonating API users, the impact depends on the permissions
configured for the individual users using certificate authentication.
This may include permissions like updating the configuration and
executing commands as well.
We expect most installations to be affected by this vulnerability
and recommend upgrading as soon as possible.
P.S.S Ignore the version information below, however stable & oldstable
are affected too.
Hilmar
-- System Information:
Debian Release: 12.8
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: arm64 (aarch64)
Foreign Architectures: armhf
Kernel: Linux 6.6.51+rpt-rpi-v8 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_CRAP
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: icinga2
Source-Version: 2.14.3-1
Done: Bas Couwenberg <sebas...@debian.org>
We believe that the bug you reported is fixed in the latest version of
icinga2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1087...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bas Couwenberg <sebas...@debian.org> (supplier of updated icinga2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 12 Nov 2024 18:28:00 +0100
Source: icinga2
Architecture: source
Version: 2.14.3-1
Distribution: unstable
Urgency: high
Maintainer: Debian Nagios Maintainer Group
<pkg-nagios-de...@lists.alioth.debian.org>
Changed-By: Bas Couwenberg <sebas...@debian.org>
Closes: 1073041 1087384
Changes:
icinga2 (2.14.3-1) unstable; urgency=high
.
* Team upload.
* New upstream release.
- Fixes CVE-2024-49369
(closes: #1087384)
* Replace pkg-config build dependency with pkgconf.
* Ignore test failures on loong64.
(closes: #1073041)
* Bump Standards-Version to 4.7.0, no changes.
* Update lintian overrides.
Checksums-Sha1:
f28be3fab55fdcf0d3616387cdf70dc90716db44 2787 icinga2_2.14.3-1.dsc
5e2dd21634121c1d314f3489b4530774ef4b6d0f 9397891 icinga2_2.14.3.orig.tar.gz
7a752cd224f3f3d89035677e58adb7e99d3faf36 24800 icinga2_2.14.3-1.debian.tar.xz
cf53f41e7cddb6e8276a2d95de5fff392b643688 13147 icinga2_2.14.3-1_amd64.buildinfo
Checksums-Sha256:
4892cc45e7079b250341b81e1c928c9b1806d2f0e52a97ab353cc7d7238da2e5 2787
icinga2_2.14.3-1.dsc
8cde20f8d8f66228fd66b4b4cef0deb0e60cf8d2a0ddc94c4cf54df5bec7db33 9397891
icinga2_2.14.3.orig.tar.gz
65ca37a692a2c161ba54c96f1f3d55bb208e9e400adb494b76c57524ae7ea241 24800
icinga2_2.14.3-1.debian.tar.xz
f822b8f73c48cefff1aa3072d0272d92dc3770ae436325876db2051c64a799ca 13147
icinga2_2.14.3-1_amd64.buildinfo
Files:
1f3d4926452a17ce6fe29a39772f75e9 2787 admin optional icinga2_2.14.3-1.dsc
82af81b6eb04d4e96798e513636076f0 9397891 admin optional
icinga2_2.14.3.orig.tar.gz
d4085d74c624150dbe179e3345fb5965 24800 admin optional
icinga2_2.14.3-1.debian.tar.xz
2c9e9ea4c755cfb71fcfbc33b5520d7f 13147 admin optional
icinga2_2.14.3-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEgYLeQXBWQI1hRlDRZ1DxCuiNSvEFAmczlggACgkQZ1DxCuiN
SvEMhw/7BE3bPzXKkIqzrNgYGGm1QzDmul9DpIxc6EsQgaB36pLfcgn8i1dkhy1y
86/BLw4rQVVMGXIuhdGwmrCsla+CisMmb2FCFKxh2tDR1DX1IFEW+fRFXWXbhicL
rasHkNvRblDFGWlDD/s/I/+kJk4EYxSsYosjJjtK3gDgBI4pSvzIe/shN+4MkfAo
A4aATYusFIcwT/eyFjKlu+rRfY4EmWWUdsuMGgeyuU67QOhKapglPj9kKWWi+DCA
GLqljpo53Q6tMHmZQRYYZgxWBt8GLRITh7mAyfPPK57woL6kK86N8s6d6AuOFZxW
0XR+Rl3dstr2xNP3kH/wLXRyol8+tGF6o8Amo43jLFQF8gXH99WUXImJrq5GUQuW
waoaQ022oZ2rtNQpLYSmJ8ull7El5zA2zMg64Hyblhmn/lNvpJWGA8nQkEgYGiiW
Jb3llAZxwUjoP+6hPFO1aDkAN+m+DC/kHSgR5I7cGsDsN0g/smprf2aZenPnuFA8
5shjzD8jsKN+/i7YtDUhq/tbOTZ3jWY3/hHNr+394KfRJMLcUYZAq9Z+P6GWE3Dk
O5Mo0SHma02MwaMuzIVZ0eZFGkjg6cCIwPPC1PCyCMYXDSr+ufrEhX+Pgg4LvA6z
0fb0mQ74wRypqYCTPXFnIP6dQaNqHrL6D5gbr7IumDiXEBFRHIQ=
=sk9a
-----END PGP SIGNATURE-----
pgpAUeWISpsL9.pgp
Description: PGP signature
--- End Message ---
