Icinga Web 2 Version 2.7.6

What's New in Version 2.7.6

This release only contains a single fix for flattened custom variables. #4439

Icinga Web Version 2.9.0

What's New in Version 2.9.0

You can find all issues related to this release on our Roadmap.

Please make sure to also check the respective upgrading section in the documentation.

This release is accompanied by the minor releases v2.7.5 and v2.8.3 which include the security fixes mentioned below.

Icinga DB

We continue our endeavour soon. Icinga Web 2 is still a crucial part of it and this update is again required
for Icinga DB. If you like to participate again, don't forget to update Icinga Web 2 as well.

Security Fixes

This release includes two security related fixes. Both were published as part of a security advisory on Github.
They allow the circumvention of custom variable protection rules and blacklists as well as a path traversal if
the doc module is enabled. Please check the respective advisory for details.

• Custom variable protection and blacklists can be circumvented GHSA-2xv9-886q-p7xx
• Possible path traversal by use of the doc module GHSA-cmgc-h4cx-3v43

RBAC, The Elephant In Icinga Web 2

Role Based Access Control, for the non-initiated. I'll make it short: Permission refusals, Role inheritance,
Privilege Audit. Icinga DB will also solve the long-standing issue #2455 and also allows #3349 and #3550.
I've also written a blog post about this very topic: https://icinga.com/blog/2021/04/07/web-access-control-redefined/

• Authorization enhancements #4306
• Audit View #4336
• Highlight modules with permissions set inside a role #4241

Support for PHP 8

PHP 8 is released and with Icinga Web 2.9 it will now (hopefully) work flawlessly. We also took the chance
to prepare to drop the support of some legacy PHP versions. We now require PHP 7.3 at a minimum and all
versions below that will not be supported anymore with the release of v2.11.

• Support PHP 8 #4289
• Raise minimum required PHP version to 7.3 #4397

Stay, Be Remembered

Have you ever been disappointed that Icinga Web 2 always forgets you after closing your browser? This is in
your hands now! Just tick the new checkbox on the login screen and Icinga Web 2 doesn't forget your presence
anymore. Unless of course the administrator or you on a different device clears your session.

• Implement a "remember me" feature #2495

It Does Matter, When

Browsers are bad when it's about date and time inputs. (I'm looking at you Mozilla!) Now we've given our hopes
up and use a specifically invented solution to show you a date and time picker throughout every browser. With
Icinga v2.13 onwards you will also be able to use this when defining an expiry date for comments! Though, you
might not necessarily use it that often once you've configured new custom defaults for downtime endings.

• Add datetime picker widget #4354
• Expire Option for Comments #3447
• Custom defaults for downtime end, comment and duration #4364

Icinga Web 2 Version 2.8.3

What's New in Version 2.8.3

Notice: This is a security release. It is recommended to upgrade to this release if you don't plan to upgrade to v2.9.0.

You can find all fixes related to this release on our Project.

Security Fixes

This release includes two security related fixes. Both were published as part of a security advisory on Github.
They allow the circumvention of custom variable protection rules and blacklists as well as a path traversal if
the doc module is enabled. Please check the respective advisory for details.

• Custom variable protection and blacklists can be circumvented GHSA-2xv9-886q-p7xx
• Possible path traversal by use of the doc module GHSA-cmgc-h4cx-3v43

Icinga Web 2 Version 2.7.5

What's New in Version 2.7.5

Notice: This is a security release. It is recommended to upgrade to this release if you don't plan to upgrade to v2.9.0.

You can find all fixes related to this release on our Project.

Security Fixes

This release includes two security related fixes. Both were published as part of a security advisory on Github.
They allow the circumvention of custom variable protection rules and blacklists as well as a path traversal if
the doc module is enabled. Please check the respective advisory for details.

• Custom variable protection and blacklists can be circumvented GHSA-2xv9-886q-p7xx
• Possible path traversal by use of the doc module GHSA-cmgc-h4cx-3v43

Icinga Web 2 v2.8.2

What's New in Version 2.8.2

Notice: This is a security release. It is recommended to immediately upgrade to this release.

You can find all issues related to this release on the respective milestone.

Path Traversal Vulnerability

The vulnerability in question allows an attacker to access arbitrary files which are readable by the process running Icinga Web 2. Technical details can be found at the corresponding CVE-2020-24368 and in the issue below.

• Possible path traversal when serving static image files #4226

Broken Negated Filters with PostgreSQL

We've also included a small non-security related fix. Searching for e.g. servicegroup!=support leads to an error instead of the desired result when using a PostgreSQL database.

• Single negated membership filter fails with PostgreSQL #4196

Icinga Web 2 Version 2.7.4

What's New in Version 2.7.4

Notice: This is a security release. It is recommended to immediately upgrade to this release.

Path Traversal Vulnerability

The vulnerability in question allows an attacker to access arbitrary files which are readable by the process running Icinga Web 2. Technical details can be found at the corresponding CVE-2020-24368 and in the issue below.

• Possible path traversal when serving static image files #4226

Upgrading from 2.7.x

RHEL/SLES:
yum install icingaweb2*2.7.4 icingacli-2.7.4 php-Icinga-2.7.4

Debian/Ubuntu:
apt-get upgrade icingaweb2=2.7.4-1.* icingaweb2-common=2.7.4-1.* php-icinga=2.7.4-1.*

Icinga Web 2 Version 2.6.4

What's New in Version 2.6.4

Notice: This is a security release. It is recommended to immediately upgrade to this release.

Path Traversal Vulnerability

The vulnerability in question allows an attacker to access arbitrary files which are readable by the process running Icinga Web 2. Technical details can be found at the corresponding CVE-2020-24368 and in the issue below.

• Possible path traversal when serving static image files #4226

Upgrading from 2.6.x

RHEL/SLES:
yum install icingaweb2*2.6.4 icingacli-2.6.4 php-Icinga-2.6.4

Debian/Ubuntu:
apt-get upgrade icingaweb2=2.6.4-1.* icingaweb2-common=2.6.4-1.* php-icinga=2.6.4-1.*

Icinga Web 2

What's New in Version 2.8.1

You can find all issues related to this release on the respective milestone.

Case Sensitivity Problems

A fix in v2.8.0 led to users being not able to login if they got their username's case wrong. A hostgroup name's case
has also been incorrectly taken into account despite using a CI labelled column in the servicegrid and other lists.

• Login usernames now case sensitive in 2.8 #4184
• Case insensitive hostgroup filter in service grid not working #4178

Issues With Numbers

An attempt to avoid misrepresenting environments in the tactical overview had an opposite effect by showing negative
numbers. Filtering for timestamps in the event history also showed no results because our filters couldn't cope with
plain numbers anymore.

• Tactical overview showing "-1 pending" hosts #4174
• Timestamp filters not working correctly in history views #4182

Icinga Web 2 Version 2.8.0

What's New in Version 2.8.0

You can find all issues related to this release on our Roadmap.

Icinga DB

It's happening. Yes. Our latest achievement is now available for those who are willing to participate in this enormous
endeavour. Icinga Web 2 is also a crucial part of it and accompanies the first release of Icinga DB. If you like
to participate, don't forget to update Icinga Web 2 as well.

Support for PHP 7.4 and MySQL 8

We also made sure that you won't be disappointed by Icinga Web 2 if you're running PHP 7.4 or trying to access a MySQL
database with version 8+. These should pose no issues anymore now. But if you still somehow managed to get issues
please let us now and we'll fix it asap.

• Exceptions with MySQL 8 #3740
• Support for PHP 7.4 #4009

Find What You Search For

It's been previously not possible to properly filter for range values. This was especially true for custom variables
where, if you searched for e.g. _host_interfaces>=20, you wouldn't find the correct results. If you often copy some
values in our search fields you may also been a victim of extraneous spaces which are now automatically trimmed.

• Filter: more/less than doesn't seem to working #3974
• Search object followed by a space finds no results #4002

Don't Leave Your Little Sheep Unattended

It's time again to further restrict your users. It's now possible to completely block any access to contacts and
contactgroups for specific roles. These won't ever see again who's notified and who's not. Also, if you are using
single accounts for a group of people you can now disable password changes for those.

• Prohibit access to contacts and contactgroups #3973
• Allow to forbid password changes on specific user accounts #3286

In and Out, Access Control Done Right

While we have no burgers (but cookies!) you are nevertheless welcome to visit Icinga Web 2. And now you can also
successfully leave while being externally authenticated and unsuccessfully enter while being unable to not add
extraneous spaces to your username.

• External logout not working from the navigation dashboard #3995
• Username with extraneous spaces are not invalid #4030

Icinga Web 2 Version 2.8.0-rc1

What's New in Version 2.8.0-rc1

You can find all issues related to this release on our Roadmap.

Icinga DB

It's happening. Yes. Our latest hot shit is now available for those who are willing to participate in this enormous
endeavour. Icinga Web 2 is also a crucial part of it and accompanies the 1.0-rc1 release of Icinga DB. If you like
to participate, don't forget to update Icinga Web 2 as well.

Support For Even More Hot Shit

We also made sure that you won't be disappointed by Icinga Web 2 if you're running PHP 7.4 or trying to access a MySQL
database with version 8+. These should pose no issues anymore now. But if you still somehow managed to get issues
please let us now and we'll fix it asap.

• Exceptions with MySQL 8 #3740
• Support for PHP 7.4 #4009

Find What You Search For

It's been previously not possible to properly filter for range values. This was especially true for custom variables
where, if you searched for e.g. _host_interfaces>=20, you wouldn't find the correct results. If you often copy some
values in our search fields you may also been a victim of extraneous spaces which are now automatically trimmed.

• Filter: more/less than doesn't seem to working #3974
• Search object followed by a space finds no results #4002

Don't Leave Your Little Sheep Unattended

It's time again to further restrict your users. It's now possible to completely block any access to contacts and
contactgroups for specific roles. These won't ever see again who's notified and who's not. Also, if you are using
single accounts for a group of people you can now disable password changes for those.

• Prohibit access to contacts and contactgroups #3973
• Allow to forbid password changes on specific user accounts #3286

In and Out, Access Control Done Right

While we have no burgers (but cookies!) you are nevertheless welcome to visit Icinga Web 2. And now you can also
successfully leave while being externally authenticated and unsuccessfully enter while being unable to not add
extraneous spaces to your username.

• External logout not working from the navigation dashboard #3995
• Username with extraneous spaces are not invalid #4030