mirror of
https://github.com/Icinga/icinga2.git
synced 2026-02-03 20:40:17 -05:00
Merge pull request #10709 from Icinga/security-2.15.2
Some checks failed
Linux / alpine:bash (push) Has been cancelled
Linux / amazonlinux:2 (push) Has been cancelled
Linux / amazonlinux:2023 (push) Has been cancelled
Linux / debian:11 (linux/386) (push) Has been cancelled
Linux / debian:11 (push) Has been cancelled
Linux / debian:12 (linux/386) (push) Has been cancelled
Linux / debian:12 (push) Has been cancelled
Linux / debian:13 (push) Has been cancelled
Linux / fedora:41 (push) Has been cancelled
Linux / fedora:42 (push) Has been cancelled
Linux / fedora:43 (push) Has been cancelled
Linux / opensuse/leap:15.6 (push) Has been cancelled
Linux / registry.suse.com/bci/bci-base:16.0 (push) Has been cancelled
Linux / registry.suse.com/suse/sle15:15.6 (push) Has been cancelled
Linux / registry.suse.com/suse/sle15:15.7 (push) Has been cancelled
Linux / rockylinux/rockylinux:10 (push) Has been cancelled
Linux / rockylinux:8 (push) Has been cancelled
Linux / rockylinux:9 (push) Has been cancelled
Linux / ubuntu:22.04 (push) Has been cancelled
Linux / ubuntu:24.04 (push) Has been cancelled
Linux / ubuntu:25.04 (push) Has been cancelled
Linux / ubuntu:25.10 (push) Has been cancelled
Windows / Windows (push) Has been cancelled
Some checks failed
Linux / alpine:bash (push) Has been cancelled
Linux / amazonlinux:2 (push) Has been cancelled
Linux / amazonlinux:2023 (push) Has been cancelled
Linux / debian:11 (linux/386) (push) Has been cancelled
Linux / debian:11 (push) Has been cancelled
Linux / debian:12 (linux/386) (push) Has been cancelled
Linux / debian:12 (push) Has been cancelled
Linux / debian:13 (push) Has been cancelled
Linux / fedora:41 (push) Has been cancelled
Linux / fedora:42 (push) Has been cancelled
Linux / fedora:43 (push) Has been cancelled
Linux / opensuse/leap:15.6 (push) Has been cancelled
Linux / registry.suse.com/bci/bci-base:16.0 (push) Has been cancelled
Linux / registry.suse.com/suse/sle15:15.6 (push) Has been cancelled
Linux / registry.suse.com/suse/sle15:15.7 (push) Has been cancelled
Linux / rockylinux/rockylinux:10 (push) Has been cancelled
Linux / rockylinux:8 (push) Has been cancelled
Linux / rockylinux:9 (push) Has been cancelled
Linux / ubuntu:22.04 (push) Has been cancelled
Linux / ubuntu:24.04 (push) Has been cancelled
Linux / ubuntu:25.04 (push) Has been cancelled
Linux / ubuntu:25.10 (push) Has been cancelled
Windows / Windows (push) Has been cancelled
Merge changes from private security fork (`v2.15.2`)
This commit is contained in:
Julian Brost
GitHub
commit
a0deaf0e2c
2 changed files with 14 additions and 3 deletions
|
|
@ -9,8 +9,12 @@ Released closed milestones can be found on [GitHub](https://github.com/Icinga/ic
|
|||
|
||||
## 2.15.2 (2026-01-29)
|
||||
|
||||
Additionally, it includes two minor bug fixes regarding SELinux policies and the OpenSSL version shipped on Windows.
|
||||
This security release fixes a problem in the Icinga 2 Windows MSI that did not
|
||||
set proper permissions for `%ProgramData%\icinga2\var`. Additionally, it includes
|
||||
two minor bug fixes regarding our SELinux policy and updates the OpenSSL version
|
||||
shipped on Windows.
|
||||
|
||||
* CVE-2026-24413: Fix permissions of `%ProgramData%\icinga2\var` on Windows.
|
||||
* Windows: Update to OpenSSL 3.0.19. #10706
|
||||
* SELinux: Fix policy to allow `logrotate` to execute the `icinga2` binary in order to send `SIGUSR1` for log rotation. #10643
|
||||
* SELinux: Fix policy to allow `icinga2` to send `SIGTERM` to nagios plugins processes on timeout. #10694
|
||||
|
|
|
|||
|
|
@ -270,8 +270,15 @@ static int InstallIcinga(void)
|
|||
// TODO: In Icinga 2.14, rename features-available/mainlog.conf to mainlog.conf.deprecated
|
||||
// so that it's no longer listed as an available feature.
|
||||
|
||||
ExecuteCommand("icacls", "\"" + dataDir + "\" /grant *S-1-5-20:(oi)(ci)m");
|
||||
ExecuteCommand("icacls", "\"" + dataDir + "\\etc\" /inheritance:r /grant:r *S-1-5-20:(oi)(ci)m *S-1-5-32-544:(oi)(ci)f");
|
||||
if (!ExecuteCommand("icacls", "\"" + dataDir + "\" /grant *S-1-5-20:(oi)(ci)m")){
|
||||
throw std::runtime_error("failed to set ACLs for " + dataDir);
|
||||
}
|
||||
if (!ExecuteCommand("icacls", "\"" + dataDir + "\\etc\" /inheritance:r /grant:r *S-1-5-20:(oi)(ci)m *S-1-5-32-544:(oi)(ci)f")) {
|
||||
throw std::runtime_error("failed to set ACLs for " + dataDir + "\\etc");
|
||||
}
|
||||
if (!ExecuteCommand("icacls", "\"" + dataDir + "\\var\" /inheritance:r /grant:r *S-1-5-20:(oi)(ci)m *S-1-5-32-544:(oi)(ci)f")) {
|
||||
throw std::runtime_error("failed to set ACLs for " + dataDir + "\\var");
|
||||
}
|
||||
|
||||
ExecuteIcingaCommand("--scm-install daemon");
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue