@@ -9,15 +9,29 @@ Released closed milestones can be found on [GitHub](https://github.com/Icinga/ic
99
1010## 2.13.13 (2025-10-16)
1111
12- This version includes a fix for sending signals and updates dependencies used
13- in Windows builds.
12+ This release fixes multiple security issues. Two of them allow authenticated
13+ API users to learn restricted information or crash Icinga 2. A third issue
14+ affects the scripts provided with Icinga 2 and allows a limited privilege
15+ escalation where the Icinga 2 daemon user can trick root into sending signals to
16+ arbitrary processes.
1417
1518Note that one fix affects the logrotate configuration. If it was modified
1619locally, it might not be updated automatically by the package manager and
1720applying the changes manually is necessary. For details, please check the
1821[upgrading docs](https://icinga.com/docs/icinga-2/latest/doc/16-upgrading-icinga-2/#upgrading-to-2-15-1).
1922
20- * Don't send signals as root in safe-reload script and logrotate config. #10601
23+ * CVE-2025-61907: Prevent API users from accessing variables and objects they
24+ don't have access to within filter expressions. This allowed authenticated
25+ API users to learn information they aren't allowed to access directly. In this
26+ version this also applies to the TicketSalt variable which was previously
27+ accessible through the /v1/variables API in this version.
28+ * CVE-2025-61908: Add a missing null pointer check while evaluating
29+ expressions. This allowed authenticated API users to crash the Icinga 2
30+ daemon by supplying a crafted filter expression.
31+ * CVE-2025-61909: Don't send signals as root in safe-reload script and
32+ logrotate config. This allowed a limited privilege escalation from the Icinga
33+ 2 service user to root. The scope is limited to sending SIGHUP or SIGUSR1 to
34+ an arbitrary process. #10601
2135* Windows: Update to OpenSSL 3.0.18. #10602
2236* Windows: upgrade build toolchain to Visual Studio 2022. #10598
2337
0 commit comments