Your message dated Fri, 15 Nov 2024 17:47:08 +0000
with message-id <e1tc0pu-004usk...@fasolo.debian.org>
and subject line Bug#1087384: fixed in icinga2 2.13.6-2+deb12u2
has caused the Debian Bug report #1087384,
regarding CVE-2024-49369: Security: fix TLS certificate validation bypass.
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1087384: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087384
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: icinga2
Version: 2.14.2-1
Severity: grave
Tags: upstream security
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
Dear Maintainer,
I'm pretty sure you're aware, nevertheless here is the but report:
https://icinga.com/blog/2024/11/12/critical-icinga-2-security-releases-2-14-3/
Today, we are releasing security updates for Icinga 2 fixing a
critical vulnerability that allowed to bypass the certificate
validation for JSON-RPC and HTTP API connections.
Impact
The TLS certificate validation in all Icinga 2 versions starting
from 2.4.0 was flawed, allowing an attacker to impersonate both
trusted cluster nodes as well as any API users that use TLS
client certificates for authentication (ApiUser objects with the
client_cn attribute set).
By impersonating a trusted cluster node like a master or satellite,
an attacker can supply a malicious configuration update to other
nodes (if the accept_config attribute of the ApiListener object is
set to true) or instruct the other node to execute malicious commands
directly (if the accept_commands attribute of the ApiListener object
is set to true). These attributes are expected to be set in most
distributed installations, but in case they are not, an attacker
can still retrieve potentially sensitive information.
When impersonating API users, the impact depends on the permissions
configured for the individual users using certificate authentication.
This may include permissions like updating the configuration and
executing commands as well.
We expect most installations to be affected by this vulnerability
and recommend upgrading as soon as possible.
P.S.S Ignore the version information below, however stable & oldstable
are affected too.
Hilmar
-- System Information:
Debian Release: 12.8
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: arm64 (aarch64)
Foreign Architectures: armhf
Kernel: Linux 6.6.51+rpt-rpi-v8 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_CRAP
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: icinga2
Source-Version: 2.13.6-2+deb12u2
Done: Bas Couwenberg <sebas...@debian.org>
We believe that the bug you reported is fixed in the latest version of
icinga2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1087...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bas Couwenberg <sebas...@debian.org> (supplier of updated icinga2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 12 Nov 2024 18:57:26 +0100
Source: icinga2
Architecture: source
Version: 2.13.6-2+deb12u2
Distribution: bookworm
Urgency: medium
Maintainer: Debian Nagios Maintainer Group
<pkg-nagios-de...@lists.alioth.debian.org>
Changed-By: Bas Couwenberg <sebas...@debian.org>
Closes: 1087384
Changes:
icinga2 (2.13.6-2+deb12u2) bookworm; urgency=medium
.
* Team upload.
* Add upstream patch to fix CVE-2024-49369.
(closes: #1087384)
Checksums-Sha1:
31fb31025f277ca60e2b3638e6903d522d286f67 2782 icinga2_2.13.6-2+deb12u2.dsc
d310f1405a0890cdf14fe61c9dc4bca7205109c0 25216
icinga2_2.13.6-2+deb12u2.debian.tar.xz
cef9dfcec03184f0e216c850dcef78c9046592a9 12352
icinga2_2.13.6-2+deb12u2_amd64.buildinfo
Checksums-Sha256:
efcabe96a5762e9680a86d0507b8443e281bca4e9ba4baf4b0ea00e89a9d3efc 2782
icinga2_2.13.6-2+deb12u2.dsc
2044bb0b211e8f709688bb92e2deae8c3287e96271d7b91ac0b6556f53581ec8 25216
icinga2_2.13.6-2+deb12u2.debian.tar.xz
8c49cac4dca096f0f49595653649a8ce694f0562d858464d0083ae6cf575601e 12352
icinga2_2.13.6-2+deb12u2_amd64.buildinfo
Files:
e6f0c308c7b6185763a80268421ae140 2782 admin optional
icinga2_2.13.6-2+deb12u2.dsc
7cf31457b398e474ba8141922361d71d 25216 admin optional
icinga2_2.13.6-2+deb12u2.debian.tar.xz
25d3d4fc00df0b5e30d8ff554386ca56 12352 admin optional
icinga2_2.13.6-2+deb12u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEgYLeQXBWQI1hRlDRZ1DxCuiNSvEFAmc3dvAACgkQZ1DxCuiN
SvGS2Q//WZbxvYm0M/fS0FLwKPEy/lRbx7VxSObxW8WRI/YSPSBSVhrGkHMDv7Yx
Pjin9pJOb130Sta+/aQrqyGSOAsLrtlWLJx4Crvayx61JV9eti4QJ7ZubUUVdJlz
z9V5zX6jLRxT0RN2/SckiyCYkvwyIiTR0syK7UftwZe101VNhHimk8tl3IsGEjPA
+vitvIUbdPGudHSXGlp36rTkeTpmyql7+xr4GZDWRMiApJL+LA3m8WjwBPu1u//r
47700Qwg3ZG+KQcvgJvMi/FelUIQ+hIF2eMuPMbg5Yx5EuudtG8deFwsYTCwBsRR
tmkELBoZAj6yomC4EnSi/xahe4bll2Qm2j8AIe3+PR3JvhTIhgOCfjD3oUP2fZUU
Uih9KZq224qyEB6ra/J3+haJ/YUEB0Cj36pvMFZKYdKmMY7D3fqtvTluuoLBHNgb
h9bqfi/ceP2T8SwpFXg5Bu5iyghcpUuAd7qjaSyz8GG4I+q0TVMhgEteTCPYlOSo
vdbbxtZV65eAUHhalU1x5oT7WUeuHeud7pEkULIqb/D8kXSWNW9fXnrl82ShBzzr
yiNx+MTLyThCaV7ey2+zywS9s8rCfq47b4W7n/zvjfu86w+jQMKAuEyr8sPnrd7+
hpV6ARwiwOPS6C6y/HxqoH/Spdq7KYcCJi0cRKSQVFPI3K3D1UU=
=aNiX
-----END PGP SIGNATURE-----
pgpk0ce9uedDW.pgp
Description: PGP signature
--- End Message ---
