[pkg-nagios-changes] [Git][nagios-team/icinga2][master] 5 commits: New upstream version 2.14.3

Tue Nov 12 17:53:33 GMT 2024


Bas Couwenberg pushed to branch master at Debian Nagios Maintainer Group / icinga2


Commits:
ed7fa7fa by Bas Couwenberg at 2024-11-12T18:24:52+01:00
New upstream version 2.14.3
- - - - -
7fa95e9b by Bas Couwenberg at 2024-11-12T18:25:13+01:00
Update upstream source from tag 'upstream/2.14.3'

Update to upstream version '2.14.3'
with Debian dir 704032096c5781d7e8cace819204327a99d53ad7
- - - - -
ce9d58c6 by Bas Couwenberg at 2024-11-12T18:26:56+01:00
New upstream release.

- Fixes CVE-2024-49369
  (closes: #1087384)

- - - - -
a5e56618 by Bas Couwenberg at 2024-11-12T18:42:28+01:00
Update lintian overrides.

- - - - -
d0143f5a by Bas Couwenberg at 2024-11-12T18:42:28+01:00
Set distribution to unstable.

- - - - -


8 changed files:

- CHANGELOG.md
- ICINGA2_VERSION
- debian/changelog
- debian/icinga2-bin.lintian-overrides
- doc/win-dev.ps1
- lib/base/tlsstream.cpp
- lib/base/tlsstream.hpp
- tools/win32/configure.ps1


Changes:

=====================================
CHANGELOG.md
=====================================
@@ -7,6 +7,15 @@ documentation before upgrading to a new release.
 
 Released closed milestones can be found on [GitHub](https://github.com/Icinga/icinga2/milestones?state=closed).
 
+## 2.14.3 (2024-11-12)
+
+This security release fixes a TLS certificate validation bypass.
+Given the severity of that issue, users are advised to upgrade all nodes immediately.
+
+* Security: fix TLS certificate validation bypass. CVE-2024-49369
+* Security: update OpenSSL shipped on Windows to v3.0.15.
+* Windows: sign MSI packages with a certificate the OS trusts by default.
+
 ## 2.14.2 (2024-01-18)
 
 Version 2.14.2 is a hotfix release for master nodes that mainly


=====================================
ICINGA2_VERSION
=====================================
@@ -1,2 +1,2 @@
-Version: 2.14.2
+Version: 2.14.3
 Revision: 1


=====================================
debian/changelog
=====================================
@@ -1,12 +1,16 @@
-icinga2 (2.14.2-2) UNRELEASED; urgency=medium
+icinga2 (2.14.3-1) unstable; urgency=high
 
   * Team upload.
+  * New upstream release.
+    - Fixes CVE-2024-49369
+    (closes: #1087384)
   * Replace pkg-config build dependency with pkgconf.
   * Ignore test failures on loong64.
     (closes: #1073041)
   * Bump Standards-Version to 4.7.0, no changes.
+  * Update lintian overrides.
 
- -- Bas Couwenberg <sebastic at debian.org>  Tue, 06 Feb 2024 09:41:11 +0100
+ -- Bas Couwenberg <sebastic at debian.org>  Tue, 12 Nov 2024 18:28:00 +0100
 
 icinga2 (2.14.2-1) unstable; urgency=medium
 


=====================================
debian/icinga2-bin.lintian-overrides
=====================================
@@ -1,3 +1,6 @@
 # This is actually a defined word in the livestatus protocol...
 spelling-error-in-binary childs children [usr/lib/*/icinga2/sbin/icinga2]
 
+# False positive, string not included in source
+spelling-error-in-binary wtH with *
+


=====================================
doc/win-dev.ps1
=====================================
@@ -14,7 +14,7 @@ function ThrowOnNativeFailure {
 $VsVersion = 2019
 $MsvcVersion = '14.2'
 $BoostVersion = @(1, 84, 0)
-$OpensslVersion = '3_0_12'
+$OpensslVersion = '3_0_15'
 
 switch ($Env:BITS) {
 	32 { }


=====================================
lib/base/tlsstream.cpp
=====================================
@@ -18,14 +18,48 @@
 
 using namespace icinga;
 
-bool UnbufferedAsioTlsStream::IsVerifyOK() const
+/**
+ * Checks whether the TLS handshake was completed with a valid peer certificate.
+ *
+ * @return true if the peer presented a valid certificate, false otherwise
+ */
+bool UnbufferedAsioTlsStream::IsVerifyOK()
 {
-	return m_VerifyOK;
+	if (!SSL_is_init_finished(native_handle())) {
+		// handshake was not completed
+		return false;
+	}
+
+	if (GetPeerCertificate() == nullptr) {
+		// no peer certificate was sent
+		return false;
+	}
+
+	return SSL_get_verify_result(native_handle()) == X509_V_OK;
 }
 
-String UnbufferedAsioTlsStream::GetVerifyError() const
+/**
+ * Returns a human-readable error string for situations where IsVerifyOK() returns false.
+ *
+ * If the handshake was completed and a peer certificate was provided,
+ * the string additionally contains the OpenSSL verification error code.
+ *
+ * @return string containing the error message
+ */
+String UnbufferedAsioTlsStream::GetVerifyError()
 {
-	return m_VerifyError;
+	if (!SSL_is_init_finished(native_handle())) {
+		return "handshake not completed";
+	}
+
+	if (GetPeerCertificate() == nullptr) {
+		return "no peer certificate provided";
+	}
+
+	std::ostringstream buf;
+	long err = SSL_get_verify_result(native_handle());
+	buf << "code " << err << ": " << X509_verify_cert_error_string(err);
+	return buf.str();
 }
 
 std::shared_ptr<X509> UnbufferedAsioTlsStream::GetPeerCertificate()
@@ -43,17 +77,17 @@ void UnbufferedAsioTlsStream::BeforeHandshake(handshake_type type)
 
 	set_verify_mode(ssl::verify_peer | ssl::verify_client_once);
 
-	set_verify_callback([this](bool preverified, ssl::verify_context& ctx) {
-		if (!preverified) {
-			m_VerifyOK = false;
-
-			std::ostringstream msgbuf;
-			int err = X509_STORE_CTX_get_error(ctx.native_handle());
-
-			msgbuf << "code " << err << ": " << X509_verify_cert_error_string(err);
-			m_VerifyError = msgbuf.str();
-		}
+	set_verify_callback([](bool preverified, ssl::verify_context& ctx) {
+		(void) preverified;
+		(void) ctx;
 
+		/* Continue the handshake even if an invalid peer certificate was presented. The verification result has to be
+		 * checked using the IsVerifyOK() method.
+		 *
+		 * Such connections are used for the initial enrollment of nodes where they use a self-signed certificate to
+		 * send a certificate request and receive their valid certificate after approval (manually by the administrator
+		 * or using a certificate ticket).
+		 */
 		return true;
 	});
 


=====================================
lib/base/tlsstream.hpp
=====================================
@@ -70,12 +70,12 @@ class UnbufferedAsioTlsStream : public AsioTcpTlsStream
 public:
 	inline
 	UnbufferedAsioTlsStream(UnbufferedAsioTlsStreamParams& init)
-		: AsioTcpTlsStream(init.IoContext, init.SslContext), m_VerifyOK(true), m_Hostname(init.Hostname)
+		: AsioTcpTlsStream(init.IoContext, init.SslContext), m_Hostname(init.Hostname)
 	{
 	}
 
-	bool IsVerifyOK() const;
-	String GetVerifyError() const;
+	bool IsVerifyOK();
+	String GetVerifyError();
 	std::shared_ptr<X509> GetPeerCertificate();
 
 	template<class... Args>
@@ -97,8 +97,6 @@ public:
 	}
 
 private:
-	bool m_VerifyOK;
-	String m_VerifyError;
 	String m_Hostname;
 
 	void BeforeHandshake(handshake_type type);


=====================================
tools/win32/configure.ps1
=====================================
@@ -30,7 +30,7 @@ if (-not (Test-Path env:CMAKE_GENERATOR_PLATFORM)) {
   }
 }
 if (-not (Test-Path env:OPENSSL_ROOT_DIR)) {
-  $env:OPENSSL_ROOT_DIR = "c:\local\OpenSSL_3_0_12-Win${env:BITS}"
+  $env:OPENSSL_ROOT_DIR = "c:\local\OpenSSL_3_0_15-Win${env:BITS}"
 }
 if (-not (Test-Path env:BOOST_ROOT)) {
   $env:BOOST_ROOT = "c:\local\boost_1_84_0-Win${env:BITS}"



View it on GitLab: https://salsa.debian.org/nagios-team/icinga2/-/compare/7f5aa9a253a3c39cbac4812fc2e1e137f4fb8392...d0143f5a516a8074898ccc7cfa04ca9fc6f34979

-- 
View it on GitLab: https://salsa.debian.org/nagios-team/icinga2/-/compare/7f5aa9a253a3c39cbac4812fc2e1e137f4fb8392...d0143f5a516a8074898ccc7cfa04ca9fc6f34979
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-changes/attachments/20241112/b47ce3ff/attachment-0001.htm>
