| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 21_config_changes | Configuration changes for Debian - change icingaadmin mail address to root@localhost | Markus Frosch <lazyfrosch@debian.org> | not-needed | |||
| postgres-checkcommand.patch | Use check_postgres path as provided by check-postgres package. | Jens Holzkämper <jens@zbmath.org> | not-needed | debian | ||
| pr8184_boost1.74.patch | Fix ‘fs::copy_option’ has not been declared with boost 1.74.0. It was deprecated in https://github.com/boostorg/filesystem/commit/f199152b7df036ff1606c85e4ea1b28edfeda6cc |
Louis Sautier <sautier.louis@gmail.com> | yes | debian upstream | https://github.com/Icinga/icinga2/pull/8184/commits/c30bae2994f1e5f33f6da51eb96d423e9bf0f75c | |
| pr8190_boost1.74.patch | Introduce HttpUtility::Set() | "Alexander A. Klimov" <alexander.klimov@icinga.com> | yes | debian upstream | https://github.com/Icinga/icinga2/pull/8190/commits/45dd71e0f9a93369e08d6cb26f97940f9c9594aa | |
| pr8191_boost1.74.patch | Define BOOST_ASIO_USE_TS_EXECUTOR_AS_DEFAULT | "Alexander A. Klimov" <alexander.klimov@icinga.com> | yes | debian upstream | https://github.com/Icinga/icinga2/pull/8191/commits/7e62a68eadada58e762d3f4261750796adffd440 | |
| CVE-2021-32739.patch | [PATCH] API: hide ApiListener#ticket_salt From version 2.4.0 through version 2.12.4, a vulnerability exists that may allow privilege escalation for authenticated API users. With a read-ony user's credentials, an attacker can view most attributes of all config objects including `ticket_salt` of `ApiListener`. This salt is enough to compute a ticket for every possible common name (CN). A ticket, the master node's certificate, and a self-signed certificate are enough to successfully request the desired certificate from Icinga. That certificate may in turn be used to steal an endpoint or API user's identity. |
"Alexander A. Klimov" <alexander.klimov@icinga.com> | yes | debian upstream | https://github.com/Icinga/icinga2/commit/b5b83fa51564662ff2e78d7529ff77e1085d4522 | 2021-07-01 |
| CVE-2021-32743.patch | [PATCH] Remove passwords from API IdoMysqlConnection, IdoPgsqlConnection, IcingaDB, and ElasticsearchWriter require passwords in their configuration to authenticate against external services. This commit ensures that these can no longer be accessed using the API. |
Julian Brost <julian.brost@icinga.com> | yes | debian upstream | https://github.com/Icinga/icinga2/commit/843353ab69f79b3abfeb38ac249b05e1944369ab | 2021-07-05 |
| CVE-2021-37698-1.patch | Enable hostname verification in UnbufferedAsioTlsStream | Julian Brost <julian.brost@icinga.com> | yes | upstream | https://github.com/Icinga/icinga2/commit/8910abc5882774c067dfc22cdf8bf8b830257608 | 2021-08-13 |
| CVE-2021-37698-2.patch | ElasticsearchWriter: actually verify TLS server certificates And add a new option insecure_noverify to explicitly disable it if desired. |
Julian Brost <julian.brost@icinga.com> | yes | upstream | https://github.com/Icinga/icinga2/commit/bf535969ac23962b65b72ea3893c6b384e1d3218 | 2021-08-12 |
| CVE-2021-37698-3.patch | GelfWriter: actually verify TLS server certificates And add a new option insecure_noverify to explicitly disable it if desired. |
Julian Brost <julian.brost@icinga.com> | yes | upstream | https://github.com/Icinga/icinga2/commit/d7133ae4298d133a088b25c9a71ffeb1f8164a8d | 2021-08-12 |
| CVE-2021-37698-4.patch | InfluxdbWriter: actually verify TLS server certificates And add a new option ssl_insecure_noverify to explicitly disable it if desired. |
Julian Brost <julian.brost@icinga.com> | yes | upstream | https://github.com/Icinga/icinga2/commit/6db8795ca4b6a853f49615279f068d4cf2b42087 | 2021-08-17 |
| CVE-2021-37698-5.patch | GelfWriter: show error message of exceptions | Julian Brost <julian.brost@icinga.com> | yes | upstream | https://github.com/Icinga/icinga2/commit/b7dd909a30367a4b8389e9362f05a856bbd7b081 | 2021-08-12 |
| CVE-2024-49369.patch | Security: fix TLS certificate validation bypass The previous validation in set_verify_callback() could be bypassed, tricking Icinga 2 into treating invalid certificates as valid. To fix this, the validation checks were moved into the IsVerifyOK() function. This is tracked as CVE-2024-49369, more details will be published at a later time. |
Julian Brost <julian.brost@icinga.com> | yes | debian upstream | https://github.com/Icinga/icinga2/commit/0419a2c36de408e9a703aec0962061ec9a285d3c | 2024-10-16 |