This release fixes some critical security vulnerabilities in Icinga 2. Users are advised to upgrade immediately, as two of them allow an unauthenticated attacker to take over or crash the Icinga 2 process over the network. The other security fixes only affect authenticated API users.
In addition, a new permission named filter-expression is introduced, which allows specifying if individual API users are allowed to use DSL filter expressions in API queries. This allows further restricting some API users that don't need this capability, for example, those only submitting individual check results. Due to the incompatibility of this change, enforcement of this permission is opt-in until v2.17; see the upgrading docs for details.
- Verify that certificate update requests come from an authorized endpoint (GHSA-vj39-ww8j-vvx5)
- Fix stack overflow due to deeply nested data structures (GHSA-wh38-wg57-5w7g)
- Prevent arbitrary config injection on object creation via the API (GHSA-jgqj-x5j9-vgcm)
- Add
filter-expressionpermission to make it possible to prevent API users from using DSL filter expressions - Windows: Update bundled OpenSSL to v3.0.21 (#10894)