[pkg-nagios-changes] [Git][nagios-team/pkg-icingaweb2][master] 6 commits: New upstream version 2.8.2
Bas Couwenberg
gitlab at salsa.debian.org
Sat Aug 22 06:43:34 BST 2020
Bas Couwenberg pushed to branch master at Debian Nagios Maintainer Group / pkg-icingaweb2
Commits:
44f4ccb8 by Bas Couwenberg at 2020-08-22T07:12:42+02:00
New upstream version 2.8.2
- - - - -
b840520f by Bas Couwenberg at 2020-08-22T07:13:17+02:00
Update upstream source from tag 'upstream/2.8.2'
Update to upstream version '2.8.2'
with Debian dir a014fbf335ab7f3a44bb8dab6ef5e7b55d6d8c0e
- - - - -
e498f25e by Bas Couwenberg at 2020-08-22T07:15:16+02:00
New upstream release.
- Fixes CVE-2020-24368.
(closes: #968833)
- - - - -
0b03d789 by Bas Couwenberg at 2020-08-22T07:25:33+02:00
Update uglifyjs options for 3.10.1.
- - - - -
79ceaecd by Bas Couwenberg at 2020-08-22T07:38:43+02:00
Update lintian overrides.
- - - - -
9b029889 by Bas Couwenberg at 2020-08-22T07:38:43+02:00
Set distribution to unstable.
- - - - -
17 changed files:
- CHANGELOG.md
- VERSION
- application/VERSION
- application/controllers/StaticController.php
- debian/changelog
- + debian/icingacli.lintian-overrides
- debian/icingaweb2.lintian-overrides
- debian/php-icinga.lintian-overrides
- debian/uglify/Makefile
- library/Icinga/Application/Version.php
- modules/doc/module.info
- modules/migrate/module.info
- modules/monitoring/library/Monitoring/Backend/Ido/Query/IdoQuery.php
- modules/monitoring/module.info
- modules/setup/module.info
- modules/test/module.info
- modules/translation/module.info
Changes:
=====================================
CHANGELOG.md
=====================================
@@ -4,6 +4,27 @@ Please make sure to always read our [Upgrading](doc/80-Upgrading.md) documentati
## What's New
+### What's New in Version 2.8.2
+
+**Notice**: This is a security release. It is recommended to immediately upgrade to this release.
+
+You can find all issues related to this release on the respective [milestone](https://github.com/Icinga/icingaweb2/milestone/62?closed=1).
+
+#### Path Traversal Vulnerability
+
+The vulnerability in question allows an attacker to access arbitrary files which are readable by the process running
+Icinga Web 2. Technical details can be found at the corresponding [CVE-2020-24368](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24368)
+and in the issue below.
+
+* Possible path traversal when serving static image files [#4226](https://github.com/Icinga/icingaweb2/issues/4226)
+
+#### Broken Negated Filters with PostgreSQL
+
+We've also included a small non-security related fix. Searching for e.g. `servicegroup!=support` leads to an error
+instead of the desired result when using a PostgreSQL database.
+
+* Single negated membership filter fails with PostgreSQL [#4196](https://github.com/Icinga/icingaweb2/issues/4196)
+
### What's New in Version 2.8.1
You can find all issues related to this release on the respective [milestone](https://github.com/Icinga/icingaweb2/milestone/61?closed=1).
=====================================
VERSION
=====================================
@@ -1 +1 @@
-v2.8.1
+v2.8.2
=====================================
application/VERSION
=====================================
@@ -1 +1 @@
-233bd29e4104125b4e5ef631e8c16dde33dadd9a 2020-06-29 10:28:41 +0200
+8a89839af94a247ee2149b2336c73b8251b477c0 2020-08-17 16:14:11 +0200
=====================================
application/controllers/StaticController.php
=====================================
@@ -68,16 +68,16 @@ class StaticController extends Controller
*/
public function imgAction()
{
- $moduleRoot = Icinga::app()
+ $imgRoot = Icinga::app()
->getModuleManager()
->getModule($this->getParam('module_name'))
- ->getBaseDir();
+ ->getBaseDir() . '/public/img/';
$file = $this->getParam('file');
- $filePath = realpath($moduleRoot . '/public/img/' . $file);
+ $filePath = realpath($imgRoot . $file);
- if ($filePath === false) {
- $this->httpNotFound('%s does not exist', $filePath);
+ if ($filePath === false || substr($filePath, 0, strlen($imgRoot)) !== $imgRoot) {
+ $this->httpNotFound('%s does not exist', $file);
}
if (preg_match('/\.([a-z]+)$/i', $file, $m)) {
=====================================
debian/changelog
=====================================
@@ -1,3 +1,14 @@
+icingaweb2 (2.8.2-1) unstable; urgency=high
+
+ * Team upload.
+ * New upstream release.
+ - Fixes CVE-2020-24368.
+ (closes: #968833)
+ * Update uglifyjs options for 3.10.1.
+ * Update lintian overrides.
+
+ -- Bas Couwenberg <sebastic at debian.org> Sat, 22 Aug 2020 07:16:12 +0200
+
icingaweb2 (2.8.1-1) unstable; urgency=medium
* Team upload.
=====================================
debian/icingacli.lintian-overrides
=====================================
@@ -0,0 +1,3 @@
+# Upstream doesn't provide manpages
+no-manual-page *
+
=====================================
debian/icingaweb2.lintian-overrides
=====================================
@@ -11,6 +11,7 @@ font-outside-font-dir usr/share/icingaweb2/public/font/ifont.*
# Not guarateerd compatible
embedded-javascript-library * please use libjs-jquery*
embedded-javascript-library * please use libjs-normalize
+embedded-php-library * please use php-htmlpurifier
# Embedded module documentation
package-contains-documentation-outside-usr-share-doc usr/share/icingaweb2/doc/*
=====================================
debian/php-icinga.lintian-overrides
=====================================
@@ -1,3 +1,4 @@
# Not guarateerd compatible
embedded-php-library * please use libmarkdown-php
+embedded-php-library * please use php-htmlpurifier
=====================================
debian/uglify/Makefile
=====================================
@@ -7,7 +7,7 @@ SOURCE_PATH = ../../public/js/vendor
SOURCES = jquery-3.4.1.js jquery-migrate-3.1.0.js jquery.sparkline.js
FILES = $(patsubst %.js,%.min.js,$(SOURCES))
-UGLIFY_OPTS = -m "toplevel=true" -r '$$,require,exports' -c "hoist_funs=false,loops=false,unused=false"
+UGLIFY_OPTS = -m "toplevel=true" -m reserved=['$$','require','exports'] -c "hoist_funs=false,loops=false,unused=false"
CAN_UGLIFYJS := $(shell command -v uglifyjs 2>/dev/null)
=====================================
library/Icinga/Application/Version.php
=====================================
@@ -8,7 +8,7 @@ namespace Icinga\Application;
*/
class Version
{
- const VERSION = '2.8.1';
+ const VERSION = '2.8.2';
/**
* Get the version of this instance of Icinga Web 2
=====================================
modules/doc/module.info
=====================================
@@ -1,4 +1,4 @@
Module: doc
-Version: 2.8.1
+Version: 2.8.2
Description: Documentation module
Extracts, shows and exports documentation for Icinga Web 2 and its modules.
=====================================
modules/migrate/module.info
=====================================
@@ -1,5 +1,5 @@
Module: migrate
-Version: 2.8.1
+Version: 2.8.2
Description: Migrate module
This module was introduced with the domain-aware authentication feature in version 2.5.0.
It helps you migrating users and user configurations according to a given domain.
=====================================
modules/monitoring/library/Monitoring/Backend/Ido/Query/IdoQuery.php
=====================================
@@ -572,7 +572,7 @@ abstract class IdoQuery extends DbQuery
$column = $subQuery->aliasToColumnName($alias);
if (isset($this->caseInsensitiveColumns[$subQuery->aliasToTableName($alias)][$alias])) {
$column = 'LOWER( ' . $column . ' )';
- $subQueryFilter->setExpression(array_map('strtolower', $subQueryFilter->getExpression()));
+ $subQueryFilter->setExpression(array_map('strtolower', (array) $subQueryFilter->getExpression()));
}
$additional = null;
=====================================
modules/monitoring/module.info
=====================================
@@ -1,5 +1,5 @@
Module: monitoring
-Version: 2.8.1
+Version: 2.8.2
Description: Icinga monitoring module
IDO accessor and UI for your monitoring. This is the initial instalment for a
graphical presentation of Icinga environments. The predecessor of Icinga DB.
=====================================
modules/setup/module.info
=====================================
@@ -1,5 +1,5 @@
Module: setup
-Version: 2.8.1
+Version: 2.8.2
Description: Setup module
Web based wizard for setting up Icinga Web 2 and its modules.
This includes the data backends (e.g. relational database, LDAP),
=====================================
modules/test/module.info
=====================================
@@ -1,5 +1,5 @@
Module: test
-Version: 2.8.1
+Version: 2.8.2
Description: Translation module
This module allows developers to run (unit) tests against Icinga Web 2 and
any of its modules. Usually you do not need to enable this.
=====================================
modules/translation/module.info
=====================================
@@ -1,5 +1,5 @@
Module: translation
-Version: 2.8.1
+Version: 2.8.2
Description: Translation module
This module allows developers and translators to translate Icinga Web 2 and
its modules for multiple languages. You do not need this module to run an
View it on GitLab: https://salsa.debian.org/nagios-team/pkg-icingaweb2/-/compare/b66d3fb2b3643a4b437fdda151d9e5af9751a367...9b0298893aa098b1030a7e2d8daa2ca85f1c27f3
--
View it on GitLab: https://salsa.debian.org/nagios-team/pkg-icingaweb2/-/compare/b66d3fb2b3643a4b437fdda151d9e5af9751a367...9b0298893aa098b1030a7e2d8daa2ca85f1c27f3
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-changes/attachments/20200822/b3c1d4c6/attachment-0001.html>
More information about the pkg-nagios-changes
mailing list