Version 2.11.8 resolves a security vulnerability with revoked certificates being
renewed automatically ignoring the CRL.
This version also resolves issues with high load on Windows regarding the config sync
and not being able to disable/enable Icinga 2 features over the API.
Security
- Fix that revoked certificates due for renewal will automatically be renewed ignoring the CRL (Advisory / CVE-2020-29663)
When a CRL is specified in the ApiListener configuration, Icinga 2 only used it
when connections were established so far, but not when a certificate is requested.
This allows a node to automatically renew a revoked certificate if it meets the
other conditions for auto renewal (issued before 2017 or expires in less than 30 days).
Because Icinga 2 currently (v2.12.3 and earlier) uses a validity duration of 15 years,
this only affects setups with external certificate signing and revoked certificates
that expire in less then 30 days.
Bugfixes
- Improve config sync locking - resolves high load issues on Windows #8510
- Fix runtime config updates being ignored for objects without zone #8550
- Use proper buffer size for OpenSSL error messages #8543
Enhancements
- On checkable recovery: re-check children that have a problem #8560