Synopsis
The remote openSUSE host is missing a security update.
Description
This update for icingaweb2 to version 2.7.3 fixes the following issues :
icingaweb2 update to 2.7.3 :
- Fixed an issue where servicegroups for roles with filtered objects were not available
icingaweb2 update to 2.7.2 :
- Performance imrovements and bug fixes
icingaweb2 update to 2.7.1 :
- Highlight links in the notes of an object
- Fixed an issue where sort rules were no longer working
- Fixed an issue where statistics were shown with an anarchist way
- Fixed an issue where wildcards could no show results
icingaweb2 update to 2.7.0 :
- New languages support
- Now module developers got additional ways to customize Icinga Web 2
- UI enhancements
icingaweb2 update to 2.6.3 :
- Fixed various issues with LDAP
- Fixed issues with timezone
- UI enhancements
- Stability fixes
icingaweb2 update to 2.6.2 :
You can find issues and features related to this release on our Roadmap. This bugfix release addresses the following topics :
- Database connections to MySQL 8 no longer fail
- LDAP connections now have a timeout configuration which defaults to 5 seconds
- User groups are now correctly loaded for externally authenticated users
- Filters are respected for all links in the host and service group overviews
- Fixed permission problems where host and service actions provided by modules were missing
- Fixed a SQL error in the contact list view when filtering for host groups
- Fixed time zone (DST) detection
- Fixed the contact details view if restrictions are active
- Doc parser and documentation fixes
Fix security issues :
- CVE-2018-18246: fixed an CSRF in moduledisable (boo#1119784)
- CVE-2018-18247: fixed an XSS via /icingaweb2/navigation/add (boo#1119785)
- CVE-2018-18248: fixed an XSS attack is possible via query strings or a dir parameter (boo#1119801)
- CVE-2018-18249: fixed an injection of PHP ini-file directives involves environment variables as channel to send out information (boo#1119799)
- CVE-2018-18250: fixed parameters that can break navigation dashlets (boo#1119800)
- Remove setuid from new upstream spec file for following dirs :
/etc/icingaweb2, /etc/icingaweb/modules, /etc/icingaweb2/modules/setup, /etc/icingaweb2/modules/translation, /var/log/icingaweb2
icingaweb2 updated to 2.6.1 :
- You can find issues and features related to this release on our [Roadmap](https://github.com/Icinga/icingaweb2/milestone /51?closed=1).
- The command audit now logs a command's payload as JSON which fixes a [bug](https://github.com/Icinga/icingaweb2/issues/3535) that has been introduced in version 2.6.0.
icingaweb2 was updated to 2.6.0 :
- You can find issues and features related to this release on our Roadmap.
- Enabling you to do stuff you couldn't before
- Support for PHP 7.2 added
- Support for SQLite resources added
- Login and Command (monitoring) auditing added with the help of a dedicated module
- Pluginoutput rendering is now hookable by modules which allows to render custom icons, emojis and .. cute kitties :octocat :
- Avoiding that you miss something
- It's now possible to toggle between list- and grid-mode for the host- and servicegroup overviews
- The servicegrid now supports to flip its axes which allows it to be put into a landscape mode
- Contacts only associated with services are visible now when restricted based on host filters
- Negated and combined membership filters now work as expected (#2934)
- A more prominent error message in case the monitoring backend goes down
- The filter editor doesn't get cleared anymore upon hitting Enter
- Making your life a bit easier
- The tactical overview is now filterable and can be safely put into the dashboard
- It is now possible to register new announcements over the REST Api
- Filtering for custom variables now works in UTF8 environments
- Ensuring you understand everything
- The monitoring health is now beautiful to look at and properly behaves in narrow environments
- Updated German localization
- Updated Italian localization
- Freeing you from unrealiable things
- Removed support for PHP < 5.6
- Removed support for persistent database connections
Solution
Update the affected icingaweb2 packages.
Plugin Details
File Name: openSUSE-2020-67.nasl
Agent: unix
Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:novell:opensuse:icingaweb2-vendor-lessphp, p-cpe:/a:novell:opensuse:icingaweb2-vendor-jshrink, p-cpe:/a:novell:opensuse:icingaweb2-vendor-dompdf, cpe:/o:novell:opensuse:15.1, p-cpe:/a:novell:opensuse:icingaweb2-vendor-parsedown, p-cpe:/a:novell:opensuse:icingacli, p-cpe:/a:novell:opensuse:php-icinga, p-cpe:/a:novell:opensuse:icingaweb2-vendor-zf1, p-cpe:/a:novell:opensuse:icingaweb2-common, p-cpe:/a:novell:opensuse:icingaweb2, p-cpe:/a:novell:opensuse:icingaweb2-vendor-htmlpurifier
Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list
Exploit Ease: Exploits are available
Patch Publication Date: 1/16/2020
Vulnerability Publication Date: 12/17/2018