[pkg-nagios-changes] [Git][nagios-team/pkg-icingaweb2][upstream] New upstream version 2.8.2

Bas Couwenberg gitlab at salsa.debian.org
Sat Aug 22 06:43:37 BST 2020 


Bas Couwenberg pushed to branch upstream at Debian Nagios Maintainer Group / pkg-icingaweb2


Commits:
44f4ccb8 by Bas Couwenberg at 2020-08-22T07:12:42+02:00
New upstream version 2.8.2
- - - - -


12 changed files:

- CHANGELOG.md
- VERSION
- application/VERSION
- application/controllers/StaticController.php
- library/Icinga/Application/Version.php
- modules/doc/module.info
- modules/migrate/module.info
- modules/monitoring/library/Monitoring/Backend/Ido/Query/IdoQuery.php
- modules/monitoring/module.info
- modules/setup/module.info
- modules/test/module.info
- modules/translation/module.info


Changes:

=====================================
CHANGELOG.md
=====================================
@@ -4,6 +4,27 @@ Please make sure to always read our [Upgrading](doc/80-Upgrading.md) documentati
 
 ## What's New
 
+### What's New in Version 2.8.2
+
+**Notice**: This is a security release. It is recommended to immediately upgrade to this release.
+
+You can find all issues related to this release on the respective [milestone](https://github.com/Icinga/icingaweb2/milestone/62?closed=1).
+
+#### Path Traversal Vulnerability
+
+The vulnerability in question allows an attacker to access arbitrary files which are readable by the process running
+Icinga Web 2. Technical details can be found at the corresponding [CVE-2020-24368](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24368)
+and in the issue below.
+
+* Possible path traversal when serving static image files [#4226](https://github.com/Icinga/icingaweb2/issues/4226)
+
+#### Broken Negated Filters with PostgreSQL
+
+We've also included a small non-security related fix. Searching for e.g. `servicegroup!=support` leads to an error
+instead of the desired result when using a PostgreSQL database.
+
+* Single negated membership filter fails with PostgreSQL [#4196](https://github.com/Icinga/icingaweb2/issues/4196)
+
 ### What's New in Version 2.8.1
 
 You can find all issues related to this release on the respective [milestone](https://github.com/Icinga/icingaweb2/milestone/61?closed=1).


=====================================
VERSION
=====================================
@@ -1 +1 @@
-v2.8.1
+v2.8.2


=====================================
application/VERSION
=====================================
@@ -1 +1 @@
-233bd29e4104125b4e5ef631e8c16dde33dadd9a 2020-06-29 10:28:41 +0200
+8a89839af94a247ee2149b2336c73b8251b477c0 2020-08-17 16:14:11 +0200


=====================================
application/controllers/StaticController.php
=====================================
@@ -68,16 +68,16 @@ class StaticController extends Controller
      */
     public function imgAction()
     {
-        $moduleRoot = Icinga::app()
+        $imgRoot = Icinga::app()
             ->getModuleManager()
             ->getModule($this->getParam('module_name'))
-            ->getBaseDir();
+            ->getBaseDir() . '/public/img/';
 
         $file = $this->getParam('file');
-        $filePath = realpath($moduleRoot . '/public/img/' . $file);
+        $filePath = realpath($imgRoot . $file);
 
-        if ($filePath === false) {
-            $this->httpNotFound('%s does not exist', $filePath);
+        if ($filePath === false || substr($filePath, 0, strlen($imgRoot)) !== $imgRoot) {
+            $this->httpNotFound('%s does not exist', $file);
         }
 
         if (preg_match('/\.([a-z]+)$/i', $file, $m)) {


=====================================
library/Icinga/Application/Version.php
=====================================
@@ -8,7 +8,7 @@ namespace Icinga\Application;
  */
 class Version
 {
-    const VERSION = '2.8.1';
+    const VERSION = '2.8.2';
 
     /**
      * Get the version of this instance of Icinga Web 2


=====================================
modules/doc/module.info
=====================================
@@ -1,4 +1,4 @@
 Module: doc
-Version: 2.8.1
+Version: 2.8.2
 Description: Documentation module
  Extracts, shows and exports documentation for Icinga Web 2 and its modules.


=====================================
modules/migrate/module.info
=====================================
@@ -1,5 +1,5 @@
 Module: migrate
-Version: 2.8.1
+Version: 2.8.2
 Description: Migrate module
  This module was introduced with the domain-aware authentication feature in version 2.5.0.
  It helps you migrating users and user configurations according to a given domain.


=====================================
modules/monitoring/library/Monitoring/Backend/Ido/Query/IdoQuery.php
=====================================
@@ -572,7 +572,7 @@ abstract class IdoQuery extends DbQuery
         $column = $subQuery->aliasToColumnName($alias);
         if (isset($this->caseInsensitiveColumns[$subQuery->aliasToTableName($alias)][$alias])) {
             $column = 'LOWER( ' . $column . ' )';
-            $subQueryFilter->setExpression(array_map('strtolower', $subQueryFilter->getExpression()));
+            $subQueryFilter->setExpression(array_map('strtolower', (array) $subQueryFilter->getExpression()));
         }
 
         $additional = null;


=====================================
modules/monitoring/module.info
=====================================
@@ -1,5 +1,5 @@
 Module: monitoring
-Version: 2.8.1
+Version: 2.8.2
 Description: Icinga monitoring module
  IDO accessor and UI for your monitoring. This is the initial instalment for a
  graphical presentation of Icinga environments. The predecessor of Icinga DB.


=====================================
modules/setup/module.info
=====================================
@@ -1,5 +1,5 @@
 Module: setup
-Version: 2.8.1
+Version: 2.8.2
 Description: Setup module
  Web based wizard for setting up Icinga Web 2 and its modules.
  This includes the data backends (e.g. relational database, LDAP),


=====================================
modules/test/module.info
=====================================
@@ -1,5 +1,5 @@
 Module: test
-Version: 2.8.1
+Version: 2.8.2
 Description: Translation module
  This module allows developers to run (unit) tests against Icinga Web 2 and
  any of its modules. Usually you do not need to enable this.


=====================================
modules/translation/module.info
=====================================
@@ -1,5 +1,5 @@
 Module: translation
-Version: 2.8.1
+Version: 2.8.2
 Description: Translation module
  This module allows developers and translators to translate Icinga Web 2 and
  its modules for multiple languages. You do not need this module to run an



View it on GitLab: https://salsa.debian.org/nagios-team/pkg-icingaweb2/-/commit/44f4ccb83886db13d4965a4dd7721fcd50bd933c

-- 
View it on GitLab: https://salsa.debian.org/nagios-team/pkg-icingaweb2/-/commit/44f4ccb83886db13d4965a4dd7721fcd50bd933c
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-changes/attachments/20200822/cc9b1e99/attachment-0001.html>

More information about the pkg-nagios-changes mailing list