openSUSE Security Update: Security update for icingaweb2
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2020:0067-1
Rating:             moderate
References:         #1101357 #1119784 #1119785 #1119799 #1119800 
                    #1119801 
Cross-References:   CVE-2018-18246 CVE-2018-18247 CVE-2018-18248
                    CVE-2018-18249 CVE-2018-18250
Affected Products:
                    openSUSE Leap 15.1
                    openSUSE Leap 15.0
                    openSUSE Backports SLE-15-SP1
                    openSUSE Backports SLE-15
                    SUSE Package Hub for SUSE Linux Enterprise 12
______________________________________________________________________________

   An update that solves 5 vulnerabilities and has one errata
   is now available.

Description:

   This update for icingaweb2 to version 2.7.3 fixes the following issues:

   icingaweb2 update to 2.7.3:

   * Fixed an issue where servicegroups for roles with filtered objects were
     not available

   icingaweb2 update to 2.7.2:

   * Performance imrovements and bug fixes

   icingaweb2 update to 2.7.1:

   * Highlight links in the notes of an object
   * Fixed an issue where sort rules were no longer working
   * Fixed an issue where statistics were shown with an anarchist way
   * Fixed an issue where wildcards could no show results

   icingaweb2 update to 2.7.0:

   * New languages support
   * Now module developers got additional ways to customize Icinga Web 2
   * UI enhancements

   icingaweb2 update to 2.6.3:

   * Fixed various issues with LDAP
   * Fixed issues with timezone
   * UI enhancements
   * Stability fixes

   icingaweb2 update to 2.6.2:

   You can find issues and features related to this release on our Roadmap.
   This bugfix release addresses the following topics:

   * Database connections to MySQL 8 no longer fail
   * LDAP connections now have a timeout configuration which defaults to 5
     seconds
   * User groups are now correctly loaded for externally authenticated users   * Filters are respected for all links in the host and service group
     overviews
   * Fixed permission problems where host and service actions provided by
     modules were missing
   * Fixed an SQL error in the contact list view when filtering for host
     groups
   * Fixed time zone (DST) detection
   * Fixed the contact details view if restrictions are active
   * Doc parser and documentation fixes

   Fix security issues:

   - CVE-2018-18246: fixed an CSRF in moduledisable (boo#1119784)
   - CVE-2018-18247: fixed an XSS via /icingaweb2/navigation/add (boo#1119785)
   - CVE-2018-18248: fixed an XSS attack is possible via query strings or a
     dir parameter (boo#1119801)
   - CVE-2018-18249: fixed an injection of PHP ini-file directives involves
     environment variables as channel to send out information (boo#1119799)
   - CVE-2018-18250: fixed parameters that can break navigation dashlets
     (boo#1119800)

   - Remove setuid from new upstream spec file for following dirs:

     /etc/icingaweb2, /etc/icingaweb/modules, /etc/icingaweb2/modules/setup,
   /etc/icingaweb2/modules/translation, /var/log/icingaweb2

   icingaweb2 updated to 2.6.1:

   - You can find issues and features related to this release on our
     [Roadmap](https://github.com/Icinga/icingaweb2/milestone/51?closed=1).
   - The command audit now logs a command's payload as JSON which fixes a
     [bug](https://github.com/Icinga/icingaweb2/issues/3535) that has been
     introduced in version 2.6.0.

   icingaweb2 was updated to 2.6.0:

   - You can find issues and features related to this release on our Roadmap.

     * Enabling you to do stuff you couldn't before
       - Support for PHP 7.2 added
       - Support for SQLite resources added
       - Login and Command (monitoring) auditing added with the help of a
         dedicated module
       - Pluginoutput rendering is now hookable by modules which allows to
         render custom icons, emojis and .. cute kitties :octocat:
     * Avoiding that you miss something
       - It's now possible to toggle between list- and grid-mode for the
         host- and servicegroup overviews
       - The servicegrid now supports to flip its axes which allows it to be
         put into a landscape mode
       - Contacts only associated with services are visible now when
         restricted based on host filters       - Negated and combined membership filters now work as expected (#2934)
       - A more prominent error message in case the monitoring backend goes
         down
       - The filter editor doesn't get cleared anymore upon hitting Enter
     * Making your life a bit easier
       - The tactical overview is now filterable and can be safely put into
         the dashboard
       - It is now possible to register new announcements over the REST Api
       - Filtering for custom variables now works in UTF8 environments
     * Ensuring you understand everything
       - The monitoring health is now beautiful to look at and properly
         behaves in narrow environments
       - Updated German localization
       - Updated Italian localization
     * Freeing you from unrealiable things
       - Removed support for PHP < 5.6
       - Removed support for persistent database connections


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 15.1:

      zypper in -t patch openSUSE-2020-67=1

   - openSUSE Leap 15.0:

      zypper in -t patch openSUSE-2020-67=1

   - openSUSE Backports SLE-15-SP1:

      zypper in -t patch openSUSE-2020-67=1

   - openSUSE Backports SLE-15:

      zypper in -t patch openSUSE-2020-67=1

   - SUSE Package Hub for SUSE Linux Enterprise 12:

      zypper in -t patch openSUSE-2020-67=1



Package List:

   - openSUSE Leap 15.1 (noarch):

      icingacli-2.7.3-lp151.6.5.1
      icingaweb2-2.7.3-lp151.6.5.1
      icingaweb2-common-2.7.3-lp151.6.5.1
      icingaweb2-vendor-HTMLPurifier-2.7.3-lp151.6.5.1
      icingaweb2-vendor-JShrink-2.7.3-lp151.6.5.1
      icingaweb2-vendor-Parsedown-2.7.3-lp151.6.5.1
      icingaweb2-vendor-dompdf-2.7.3-lp151.6.5.1
      icingaweb2-vendor-lessphp-2.7.3-lp151.6.5.1
      icingaweb2-vendor-zf1-2.7.3-lp151.6.5.1
      php-Icinga-2.7.3-lp151.6.5.1

   - openSUSE Leap 15.0 (noarch):

      icingacli-2.7.3-lp150.4.7.1
      icingaweb2-2.7.3-lp150.4.7.1
      icingaweb2-common-2.7.3-lp150.4.7.1
      icingaweb2-vendor-HTMLPurifier-2.7.3-lp150.4.7.1
      icingaweb2-vendor-JShrink-2.7.3-lp150.4.7.1
      icingaweb2-vendor-Parsedown-2.7.3-lp150.4.7.1
      icingaweb2-vendor-dompdf-2.7.3-lp150.4.7.1
      icingaweb2-vendor-lessphp-2.7.3-lp150.4.7.1
      icingaweb2-vendor-zf1-2.7.3-lp150.4.7.1
      php-Icinga-2.7.3-lp150.4.7.1

   - openSUSE Backports SLE-15-SP1 (noarch):

      icingacli-2.7.3-bp151.5.3.1
      icingaweb2-2.7.3-bp151.5.3.1
      icingaweb2-common-2.7.3-bp151.5.3.1
      icingaweb2-vendor-HTMLPurifier-2.7.3-bp151.5.3.1
      icingaweb2-vendor-JShrink-2.7.3-bp151.5.3.1
      icingaweb2-vendor-Parsedown-2.7.3-bp151.5.3.1
      icingaweb2-vendor-dompdf-2.7.3-bp151.5.3.1
      icingaweb2-vendor-lessphp-2.7.3-bp151.5.3.1
      icingaweb2-vendor-zf1-2.7.3-bp151.5.3.1
      php-Icinga-2.7.3-bp151.5.3.1

   - openSUSE Backports SLE-15 (noarch):

      icingacli-2.7.3-bp150.2.7.1
      icingaweb2-2.7.3-bp150.2.7.1
      icingaweb2-common-2.7.3-bp150.2.7.1
      icingaweb2-vendor-HTMLPurifier-2.7.3-bp150.2.7.1
      icingaweb2-vendor-JShrink-2.7.3-bp150.2.7.1
      icingaweb2-vendor-Parsedown-2.7.3-bp150.2.7.1
      icingaweb2-vendor-dompdf-2.7.3-bp150.2.7.1
      icingaweb2-vendor-lessphp-2.7.3-bp150.2.7.1
      icingaweb2-vendor-zf1-2.7.3-bp150.2.7.1
      php-Icinga-2.7.3-bp150.2.7.1

   - SUSE Package Hub for SUSE Linux Enterprise 12 (noarch):

      icingacli-2.7.3-9.1
      icingaweb2-2.7.3-9.1
      icingaweb2-common-2.7.3-9.1
      icingaweb2-vendor-HTMLPurifier-2.7.3-9.1
      icingaweb2-vendor-JShrink-2.7.3-9.1
      icingaweb2-vendor-Parsedown-2.7.3-9.1
      icingaweb2-vendor-dompdf-2.7.3-9.1
      icingaweb2-vendor-lessphp-2.7.3-9.1
      icingaweb2-vendor-zf1-2.7.3-9.1
      php-Icinga-2.7.3-9.1


References:

   https://www.suse.com/security/cve/CVE-2018-18246.html
   https://www.suse.com/security/cve/CVE-2018-18247.html
   https://www.suse.com/security/cve/CVE-2018-18248.html
   https://www.suse.com/security/cve/CVE-2018-18249.html
   https://www.suse.com/security/cve/CVE-2018-18250.html
   https://bugzilla.suse.com/1101357
   https://bugzilla.suse.com/1119784
   https://bugzilla.suse.com/1119785
   https://bugzilla.suse.com/1119799
   https://bugzilla.suse.com/1119800
   https://bugzilla.suse.com/1119801

--

openSUSE: 2020:0067-1: moderate: icingaweb2

January 16, 2020
An update that solves 5 vulnerabilities and has one errata is now available.

Description

This update for icingaweb2 to version 2.7.3 fixes the following issues: icingaweb2 update to 2.7.3: * Fixed an issue where servicegroups for roles with filtered objects were not available icingaweb2 update to 2.7.2: * Performance imrovements and bug fixes icingaweb2 update to 2.7.1: * Highlight links in the notes of an object * Fixed an issue where sort rules were no longer working * Fixed an issue where statistics were shown with an anarchist way * Fixed an issue where wildcards could no show results icingaweb2 update to 2.7.0: * New languages support * Now module developers got additional ways to customize Icinga Web 2 * UI enhancements icingaweb2 update to 2.6.3: * Fixed various issues with LDAP * Fixed issues with timezone * UI enhancements * Stability fixes icingaweb2 update to 2.6.2: You can find issues and features related to this release on our Roadmap. This bugfix release addresses the following topics: ...

Read the Full Advisory

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.1: zypper in -t patch openSUSE-2020-67=1 - openSUSE Leap 15.0: zypper in -t patch openSUSE-2020-67=1 - openSUSE Backports SLE-15-SP1: zypper in -t patch openSUSE-2020-67=1 - openSUSE Backports SLE-15: zypper in -t patch openSUSE-2020-67=1 - SUSE Package Hub for SUSE Linux Enterprise 12: zypper in -t patch openSUSE-2020-67=1


Package List

- openSUSE Leap 15.1 (noarch): icingacli-2.7.3-lp151.6.5.1 icingaweb2-2.7.3-lp151.6.5.1 icingaweb2-common-2.7.3-lp151.6.5.1 icingaweb2-vendor-HTMLPurifier-2.7.3-lp151.6.5.1 icingaweb2-vendor-JShrink-2.7.3-lp151.6.5.1 icingaweb2-vendor-Parsedown-2.7.3-lp151.6.5.1 icingaweb2-vendor-dompdf-2.7.3-lp151.6.5.1 icingaweb2-vendor-lessphp-2.7.3-lp151.6.5.1 icingaweb2-vendor-zf1-2.7.3-lp151.6.5.1 php-Icinga-2.7.3-lp151.6.5.1 - openSUSE Leap 15.0 (noarch): icingacli-2.7.3-lp150.4.7.1 icingaweb2-2.7.3-lp150.4.7.1 icingaweb2-common-2.7.3-lp150.4.7.1 icingaweb2-vendor-HTMLPurifier-2.7.3-lp150.4.7.1 icingaweb2-vendor-JShrink-2.7.3-lp150.4.7.1 icingaweb2-vendor-Parsedown-2.7.3-lp150.4.7.1 icingaweb2-vendor-dompdf-2.7.3-lp150.4.7.1 icingaweb2-vendor-lessphp-2.7.3-lp150.4.7.1 icingaweb2-vendor-zf1-2.7.3-lp150.4.7.1 php-Icinga-2.7.3-lp150.4.7.1 - openSUSE Backports SLE-15-SP1 (noarch): icingacli-2.7.3-bp151.5.3.1 icingaweb2-2.7.3-bp151.5.3.1 icingaweb2-common-2.7.3-bp151.5.3.1 icingaweb2-vendor-HTMLPurifier-2.7.3-bp151.5.3.1 icingaweb2-vendor-JShrink-2.7.3-bp151.5.3.1 icingaweb2-vendor-Parsedown-2.7.3-bp151.5.3.1 icingaweb2-vendor-dompdf-2.7.3-bp151.5.3.1 icingaweb2-vendor-lessphp-2.7.3-bp151.5.3.1 icingaweb2-vendor-zf1-2.7.3-bp151.5.3.1 php-Icinga-2.7.3-bp151.5.3.1 - openSUSE Backports SLE-15 (noarch): icingacli-2.7.3-bp150.2.7.1 icingaweb2-2.7.3-bp150.2.7.1 icingaweb2-common-2.7.3-bp150.2.7.1 icingaweb2-vendor-HTMLPurifier-2.7.3-bp150.2.7.1 icingaweb2-vendor-JShrink-2.7.3-bp150.2.7.1 icingaweb2-vendor-Parsedown-2.7.3-bp150.2.7.1 icingaweb2-vendor-dompdf-2.7.3-bp150.2.7.1 icingaweb2-vendor-lessphp-2.7.3-bp150.2.7.1 icingaweb2-vendor-zf1-2.7.3-bp150.2.7.1 php-Icinga-2.7.3-bp150.2.7.1 - SUSE Package Hub for SUSE Linux Enterprise 12 (noarch): icingacli-2.7.3-9.1 icingaweb2-2.7.3-9.1 icingaweb2-common-2.7.3-9.1 icingaweb2-vendor-HTMLPurifier-2.7.3-9.1 icingaweb2-vendor-JShrink-2.7.3-9.1 icingaweb2-vendor-Parsedown-2.7.3-9.1 icingaweb2-vendor-dompdf-2.7.3-9.1 icingaweb2-vendor-lessphp-2.7.3-9.1 icingaweb2-vendor-zf1-2.7.3-9.1 php-Icinga-2.7.3-9.1


References

https://www.suse.com/security/cve/CVE-2018-18246.html https://www.suse.com/security/cve/CVE-2018-18247.html https://www.suse.com/security/cve/CVE-2018-18248.html https://www.suse.com/security/cve/CVE-2018-18249.html https://www.suse.com/security/cve/CVE-2018-18250.html https://bugzilla.suse.com/1101357 https://bugzilla.suse.com/1119784 https://bugzilla.suse.com/1119785 https://bugzilla.suse.com/1119799 https://bugzilla.suse.com/1119800 https://bugzilla.suse.com/1119801--


Severity
Announcement ID: openSUSE-SU-2020:0067-1
Rating: moderate
Affected Products: openSUSE Leap 15.1 openSUSE Leap 15.0 openSUSE Backports SLE-15-SP1 openSUSE Backports SLE-15 SUSE Package Hub for SUSE Linux Enterprise 12 le.

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved