OK to commit this pre-6.3? CVE-2018-6532: By sending specially crafted requests, authenticated and unauthenticated, an attacker can exhaust a lot of memory on the server side, triggering the OOM killer.
CVE-2018-6534: By sending specially crafted messages, an attacker can cause a NULL pointer dereference, which can cause Icinga2 to crash. CVE-2018-6535: Lack of a constant-time password comparison function can disclose the password to an attacker. Detailed write-up and simple crashers for the above at https://hansmi.ch/articles/2018-03-icinga2-security (CVE-2017-16933 and CVE-2018-6536 also in this release relate to the init scripts that we don't use). Index: Makefile =================================================================== RCS file: /cvs/ports/net/icinga/core2/Makefile,v retrieving revision 1.77 diff -u -p -r1.77 Makefile --- Makefile 20 Jan 2018 14:03:39 -0000 1.77 +++ Makefile 22 Mar 2018 13:35:17 -0000 @@ -6,7 +6,7 @@ COMMENT-main = network monitoring system COMMENT-mysql = MySQL support for icinga2 COMMENT-pgsql = PostgreSQL support for icinga2 -V = 2.8.1 +V = 2.8.2 EPOCH = 0 GH_ACCOUNT = Icinga GH_PROJECT = icinga2 Index: distinfo =================================================================== RCS file: /cvs/ports/net/icinga/core2/distinfo,v retrieving revision 1.26 diff -u -p -r1.26 distinfo --- distinfo 17 Jan 2018 12:29:08 -0000 1.26 +++ distinfo 22 Mar 2018 13:35:17 -0000 @@ -1,2 +1,2 @@ -SHA256 (icinga2-2.8.1.tar.gz) = g5ML+VpcZWLMMcN92wGzYWZUl+9wAenMh2P9SZpNcJ0= -SIZE (icinga2-2.8.1.tar.gz) = 2501182 +SHA256 (icinga2-2.8.2.tar.gz) = UIggkFyGkGEXphbpDrFrZGAH4XhiGw358n/K8aSRFRw= +SIZE (icinga2-2.8.2.tar.gz) = 2507304 Index: pkg/PLIST-main =================================================================== RCS file: /cvs/ports/net/icinga/core2/pkg/PLIST-main,v retrieving revision 1.22 diff -u -p -r1.22 PLIST-main --- pkg/PLIST-main 20 Nov 2017 11:11:20 -0000 1.22 +++ pkg/PLIST-main 22 Mar 2018 13:35:17 -0000 @@ -181,8 +181,6 @@ share/examples/icinga2/features-enabled/ @extraunexec rm -rf ${SYSCONFDIR}/icinga2/features-enabled/* share/examples/icinga2/icinga2.conf @sample ${SYSCONFDIR}/icinga2/icinga2.conf -share/examples/icinga2/init.conf -@sample ${SYSCONFDIR}/icinga2/init.conf share/examples/icinga2/scripts/ @sample ${SYSCONFDIR}/icinga2/scripts/ share/examples/icinga2/scripts/mail-host-notification.sh
