[Pkg-nagios-devel] Bug#1087384: Bug#1087384: CVE-2024-49369: Security: fix TLS certificate validation bypass.

[Lorenz]

Hi,
Sorry to be annoying here, but I just discovered that the stable version 
ist still vulnerable.

On Fri, 15 Nov 2024 05:12:08 +0100 Sebastiaan Couwenberg 
<sebastic at xs4all.nl> wrote:
> On 11/14/24 9:05 PM, Louis-Philippe Véronneau wrote:
> > I think this bug should be reopen and a security upload should be made ASAP to fix this critical issue.
> 
> It's not that critical, to quote the security tracker:
> 
> "
>   [bookworm] - icinga2 <no-dsa> (Will be fixed via point release; Only affects deployments with access to Icinga API via client certificates)
> "

The security tracker is wrong here, this bug affects (in all likelyhood) 
many if not most Icinga setups.
Any setup where the Icinga2 API is exposed to the network is vulnerable,
there is no need for an explicit API user with client certificates 
configured.
Icinga 2 uses the same authentication mechanism for communication in a 
Icinga setup, meaning between different nodes (Icinga 2 instances, 
satellites/agents) and it uses Ceritificate based authentication for 
that.[0][1]

I just wanted to put some weight on the significance of this problem


> 
> The bookworm-pu has been submitted:
> 
>   https://bugs.debian.org/1087411
> 
> You can build the bookworm branch yourself if you want to deploy the fix sooner:
> 
>   https://salsa.debian.org/nagios-team/icinga2/-/tree/bookworm?ref_type=heads
> 
> Kind Regards,
> 
> Bas
Kind regards
Lorenz Kästle

[0] https://icinga.com/blog/critical-icinga-2-security-releases-2-14-3/
[1] 
https://icinga.com/blog/uncovering-a-client-certificate-verification-bypass-in-icinga/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-devel/attachments/20241201/3f72d10f/attachment.sig>