Icinga2

This security release fixes a problem in the Icinga 2 Windows MSI that did not set proper permissions for %ProgramData%\icinga2\var. Additionally, it updates the bundled OpenSSL library and includes changes to allow building with newer toolchains.

Security

• CVE-2026-24413: Fix permissions of %ProgramData%\icinga2\var on Windows.

Other Changes

• Windows: Update to OpenSSL 3.0.19. #10704
• Allow building with CMake 4. #10625

This security release fixes a problem in the Icinga 2 Windows MSI that did not set proper permissions for %ProgramData%\icinga2\var. Additionally, it updates the bundled OpenSSL library and includes changes to allow building with newer toolchains.

Security

• CVE-2026-24413: Fix permissions of %ProgramData%\icinga2\var on Windows.

Other Changes

• Windows: Update to OpenSSL 3.0.19. #10705
• Bump Boost shipped for Windows to v1.87. #10651
• Allow building with CMake 4. #10624

This security release fixes a problem in the Icinga 2 Windows MSI that did not set proper permissions for %ProgramData%\icinga2\var. Additionally, it includes two minor bug fixes regarding our SELinux policy and updates the OpenSSL version shipped on Windows.

Security

• CVE-2026-24413: Fix permissions of %ProgramData%\icinga2\var on Windows.
• SELinux: Fix policy to allow logrotate to execute the icinga2 binary in order to send SIGUSR1 for log rotation. #10643
• SELinux: Fix policy to allow icinga2 to send SIGTERM to nagios plugins processes on timeout. #10694

Other Changes

• doc: Update Windows development docs to use Visual Studio 2022 instead of 2019. #10695
• Windows: Update to OpenSSL 3.0.19. #10706

This release fixes multiple security issues. Two of them allow authenticated API users to learn restricted information or crash Icinga 2. A third issue affects the scripts provided with Icinga 2 and allows a limited privilege escalation where the Icinga 2 daemon user can trick root into sending signals to arbitrary processes.

In addition, this version also includes bug fixes regarding config deployments and improvements to allow for better debugging of problems related to JSON-RPC cluster communication.

Note that one fix affects the logrotate configuration. If it was modified locally, it might not be updated automatically by the package manager and applying the changes manually is necessary. For details, please check the upgrading docs.

Security

• CVE-2025-61907: Prevent API users from accessing variables and objects they don't have access to within filter expressions. This allowed authenticated API users to learn information they aren't allowed to access directly.
• CVE-2025-61908: Add a missing null pointer check while evaluating expressions. This allowed authenticated API users to crash the Icinga 2 daemon by supplying a crafted filter expression.
• CVE-2025-61909: Don't send signals as root in safe-reload script and logrotate config. This allowed a limited privilege escalation from the Icinga 2 service user to root. The scope is limited to sending SIGHUP or SIGUSR1 to an arbitrary process. #10590
• Windows: Update to OpenSSL 3.0.18. #10591

Bugfixes

• When a reload triggered from Icinga Director (or the /v1/config API) fails, the corresponding state is cleared, allowing to deploy a new config without having to restart Icinga 2 manually first. #10584

Enhancements

• Add JSON-RPC utilization metrics and troubleshooting docs. #10586
• When sending cluster messages to other zones, prefer endpoints in the order as specified in the zone configuration. #10587
• Track the number of JSON-RPC messages received for each message type per endpoint. #10585
• Add support for building with Boost v1.89 and use it on Windows. #10578

This release fixes multiple security issues. Two of them allow authenticated API users to learn restricted information or crash Icinga 2. A third issue affects the scripts provided with Icinga 2 and allows a limited privilege escalation where the Icinga 2 daemon user can trick root into sending signals to arbitrary processes.

Note that one fix affects the logrotate configuration. If it was modified locally, it might not be updated automatically by the package manager and applying the changes manually is necessary. For details, please check the upgrading docs.

• CVE-2025-61907: Prevent API users from accessing variables and objects they don't have access to within filter expressions. This allowed authenticated API users to learn information they aren't allowed to access directly.
• CVE-2025-61908: Add a missing null pointer check while evaluating expressions. This allowed authenticated API users to crash the Icinga 2 daemon by supplying a crafted filter expression.
• CVE-2025-61909: Don't send signals as root in safe-reload script and logrotate config. This allowed a limited privilege escalation from the Icinga 2 service user to root. The scope is limited to sending SIGHUP or SIGUSR1 to an arbitrary process. #10597
• Windows: Update to OpenSSL 3.0.18. #10595
• Windows: upgrade build toolchain to Visual Studio 2022. #10594

This release fixes multiple security issues. Two of them allow authenticated API users to learn restricted information or crash Icinga 2. A third issue affects the scripts provided with Icinga 2 and allows a limited privilege escalation where the Icinga 2 daemon user can trick root into sending signals to arbitrary processes.

Note that one fix affects the logrotate configuration. If it was modified locally, it might not be updated automatically by the package manager and applying the changes manually is necessary. For details, please check the upgrading docs.

• CVE-2025-61907: Prevent API users from accessing variables and objects they don't have access to within filter expressions. This allowed authenticated API users to learn information they aren't allowed to access directly. In this version this also applies to the TicketSalt variable which was previously accessible through the /v1/variables API in this version.
• CVE-2025-61908: Add a missing null pointer check while evaluating expressions. This allowed authenticated API users to crash the Icinga 2 daemon by supplying a crafted filter expression.
• CVE-2025-61909: Don't send signals as root in safe-reload script and logrotate config. This allowed a limited privilege escalation from the Icinga 2 service user to root. The scope is limited to sending SIGHUP or SIGUSR1 to an arbitrary process. #10601
• Windows: Update to OpenSSL 3.0.18. #10602
• Windows: upgrade build toolchain to Visual Studio 2022. #10598

This Icinga 2 release is focused on adding Icinga 2 dependencies support to Icinga DB, but also includes a number of bugfixes, enhancements and code quality improvements. Below is a summary of the most important changes, for the complete list of issues and PRs, please see the milestone on GitHub.

Notes

Thanks to all contributors: ChrLau, Josef-Friedrich, LordHepipud, OdyX, RincewindsHat, SebastianOpeni, SpeedD3, Tqnsls, botovq, cycloon, legioner0, legna-namor, macdems, mathiasaerts, mcodato, n-rodriguez, netphantm, nicolasberens, oldelvet, peteeckel, tbauriedel, w1ll-i-code, ymartin-ovh

Breaking Changes

• API: Fix /v1/objects/* queries with attrs set to [] to return empty attributes instead of all of them. #8169
• Drop the undocumented Checkable#process_check_result and broken System#track_parents DSL functions. #10457

Enhancements

• Gracefully disconnect all clients on shutdown and prevent from accepting new connections. #10460
• Icinga DB: Send data to Redis® exactly as they're stored in the database to avoid extra value-mapping routines by the Go daemon. #10452
• Add support for Icinga 2 dependencies in Icinga DB. #10290
• Take host/service reachability into account when computing its severity. #10399
• Rework the dependency cycle detection to efficiently handle large configs and provide better error messages. #10360
• Don't log next check timestamp in scientific notation. #10352
• Automatically remove child downtimes when removing parent downtime. #10345
• Ensure compatibility with Boost version up to v1.88. #10278 #10419
• Reject infinite performance data values. #10077
• Support host_template and service_template tags in ElasticsearchWriter. #10074
• Icinga DB: Support Redis® username authentication. #10102
• Cluster: Distribute host child objects (e.g. services, notifications, etc.) based on the host's name. #10161
• Icinga DB Check: Report an error if both Icinga DB instances are responsible in a HA setup. #10188
• Windows: upgrade build toolchain to Visual Studio 2022. #9747

Bugfixes

• Core
  • Use Checkable#check_timeout also for rescheduling remote checks. #10443
  • Log: Don't unnecessarily buffer log messages that are going to be dropped anyway. #10177
  • Don't loose perfdata counter (c) unit when normalizing performance data for Icinga DB. #10432
  • Fix broken SELinux policy on Fedora ≥ 41 due to the new /usr/sbin to /usr/bin equivalence. #10429
  • Don't load Notification objects before User and UserGroup objects to allow them to be referenced in notifications. #10427
  • Ensure consistent DST handling across different platforms. #10422
  • Fix Icinga 2 doesn't generate a core dump when it crashes with SIGABRT. #10416
  • Don't process concurrent checks for the same checkable. #10372
  • Don't process check results after the checker and API listener have been stopped. #10397
  • Avoid zombie processes on plugin execution timeout on busy systems. #10375
  • Properly restore the notification object state on Recovery notification. #10361
  • Fix incorrectly dropped acknowledgement and recovery notifications. #10211
  • Prevent checks from always being rescheduled outside the configured check_period. #10070
  • Don't send reminder notifications after a Custom notification while interval is set to 0. #7818
  • Reset all signal handlers of child processes to their defaults before starting a plugin. #8011
  • tests: Fix FormatDateTime test cases with invalid formats on macOS and all BSD-based systems. #10149
  • Mark move constructor and assignment operator in String as noexcept to allow optimizations. #10353 #10365
• Cluster and API
  • Fix an inverted condition in ApiListener#IsHACluster() that caused to always return true in a non-HA setup. #10417
  • Don't silently accept authenticated JSON-RPC connections with no valid endpoint. #10415
  • Sync Notification#notified_problem_users across the cluster to prevent lost recovery notifications. #10380
  • Remove superfluous ) from a HTTP request log message. #9966
  • Disable TLS renegotiation (handshake on existing connection) on OpenBSD as well. #9943
  • Log also the underlying error message when a HTTP request is closed with No data received by Icinga 2. #9928
  • Fix a deadlock triggered by concurrent /v1/actions/add-comment and /v1/actions/acknowledge-problem requests on the same checkable, as well as a crash that might occur when running perfectly timed /v1/actions/add-comment and /v1/actions/remove-comment requests targeting the same comment. #9924
• Icinga DB
  • Fix missing acknowledgement and flapping history entries due to a number overflow. #10467
  • Send downtime cancel_time only if it is cancelled. #10379
  • Send only the necessary data to the icinga:stats Redis® stream. #10359
  • Remove a spin lock in RedisConnection#Connect() to avoid busy waiting. #10265
• Writers
  • Serialize all required metrics before queueing them to a WorkQueue. #10420
  • OpenTsdbWriter: Include checkable name in log messages to ease troubleshooting. #10009
  • OpenTsdbWriter: Don't send custom empty tags. #7928
  • InfluxDBWriter: Add missing closing quote in validation error message. #10174

ITL

• Add --maintenance_mode_state ($vmware_maintenance_mode_state) argument to vmware-esx-command check command. #10435
• Add -n ($load_procs_to_show$) argument to load check command. #10426
• Add --inode-perfdata ($disk_np_inode_perfdata$) argument to disk check command. #10395
• Add -r ($ssh_remote_version$) and -P ($ssh_remote_protocol$) arguments to ssh check command. #10283
• Add --unplugged_nics_state ($vmware_unplugged_nics_state$) argument to vmware-esx-soap-host-net and vmware-esx-soap-host-net-nic check commands. #10261
• Add -X ($proc_exclude_process$) argument to procs check command. #10232
• Add --dane ($ssl_cert_dane$) argument to ssl_cert check command. #10196
• Fix check_ssl_cert deprecation warnings. #9758
• Fix check_systemd executable name add add all missing arguments. #10035
• Add -M ($snmp_multiplier$ & $snmpv3_multiplier$) argument to snmp and snmpv3 check commands. #9975
• Add --continue-after-certificate ($http_certificate_continue$) argument to http check command. #9974
• Add --ignore-maximum-validity ($ssl_cert_ignore_maximum_validity$) argument to ssl_cert check command. #10396
• Add --maximum-validity ($ssl_cert_maximum_validity$) argument to ssl_cert check command. #9881
• Add --url ($ssl_cert_http_url$) argument to ssl_cert check command. #9759
• Add fuse.sshfs and fuse.* (supported only by Monitoring Plugins) to the list of default disk exclude types. #9749
• Add check_curl check command. #9205
• Add the --extra-opts argument to various commands that support it. #8010

Documentation

• Don't use dnf config-manager to configure Fedora repository and mention icingadb-redis-selinux package. #10479
• Update the outdated cold startup duration documentation to reflect the current behavior. #10446
• Indent second-level unordered lists with four spaces to correctly render them in the HTML documentation. #10441
• Add a reference to the check result state documentation from within the Advanced Topics section. #10421
• Improve the documentation of how to generate Icinga 2 core dumps. #10418
• Update Icinga 2 CLI output examples to match the current output. #10323
• Fix incorrect ping_timeout value in the hostalive check command documentation. #10069

Code Quality

• Simplify deferred SSL shutdown in ApiListener#NewClientHandlerInternal(). #10301
• Don't unnecessarily shuffle configuration items during config load. #10008
• Sort config types by their load dependencies at namespace initialization time to save some round trips during config load. #10148
• Fix livestatus build error on macOS without unity builds. #10176
• Remove unused methods in SharedObject class. #10456
• Remove unused ProcessingResult#NoCheckResult enum value. #10444
• CMake: Drop all third-party cmake modules and use the ones shipped with CMake v3.8+. #10403
• CMake: Raise the minimum required policy to 3.8. #10402 #10478
• CMake: Turn on -Wsuggest-override to warn about missing override specifiers. #10225 #10356
• Make icinga::Empty a constant to prevent accidental modifications. #10224
• Remove various unused methods in the Registry class. #10222
• Fix missing parent std::atomic<T> constructor call in our Atomic<T> wrapper class. #10215
• Drop unused m_NextHeartbeat member variable from JsonRpcConnection. #10208
• Enhance some of the validation error messages. #10201
• Don't allow Type#GetLoadDependencies() to return non-config object type dependencies. #10169
• Don't allow Type#GetLoadDependencies() to return a set of nullptr type dependencies. #10155
• Remove EOL distros detection code from Utility::ReleaseHelper() function. #10147
• Remove dead code in TLS GetSignatureAlgorithm() function. #9882
• Mark Logger#GetSeverity() as non-virtual to avoid unnecessary vtable lookups. #9851
• Remove unused Stream#Peak() method and unused allow_partial parameter from Stream#Read(). #9734 #9736
• Suppress compiler warnings in third-party libraries. #9732
• Fix various compiler warnings. #9731 #10442
• Reduce task function allocation overhead by using a per-thread created lambda in WorkQueue. #9575
• Remove redundant trailing empty lines and add missing newlines in some files. #7799

This security release fixes a critical issue in the certificate renewal logic in Icinga 2, which might incorrectly renew an invalid certificate. However, only nodes with access to the Icinga CA private key running with OpenSSL older than version 1.1.0 (released in 2016) are vulnerable. So this typically affects Icinga 2 masters running on operating systems like RHEL 7 and Amazon Linux 2.

For details, please check the release announcement and the GitHub security advisory

• CVE-2025-48057: Prevent invalid certificates from being renewed with OpenSSL older than v1.1.0.
• Fix use-after-free in VerifyCertificate(): Additionally, a use-after-free was found in the same function which is fixed as well, but in case it is triggered, typically only a wrong error code may be shown in a log message.
• Windows: Update OpenSSL shipped on Windows to v3.0.16.

This security release fixes a critical issue in the certificate renewal logic in Icinga 2, which might incorrectly renew an invalid certificate. However, only nodes with access to the Icinga CA private key running with OpenSSL older than version 1.1.0 (released in 2016) are vulnerable. So this typically affects Icinga 2 masters running on operating systems like RHEL 7 and Amazon Linux 2.

For details, please check the release announcement and the GitHub security advisory

• CVE-2025-48057: Prevent invalid certificates from being renewed with OpenSSL older than v1.1.0.
• Fix use-after-free in VerifyCertificate(): Additionally, a use-after-free was found in the same function which is fixed as well, but in case it is triggered, typically only a wrong error code may be shown in a log message.
• Windows: Update OpenSSL shipped on Windows to v3.0.16.
• Fix a failing test case on systems time_t is only 32 bits #10344.

This security release fixes a critical issue in the certificate renewal logic in Icinga 2, which might incorrectly renew an invalid certificate. However, only nodes with access to the Icinga CA private key running with OpenSSL older than version 1.1.0 (released in 2016) are vulnerable. So this typically affects Icinga 2 masters running on operating systems like RHEL 7 and Amazon Linux 2.

For details, please check the release announcement and the GitHub security advisory

• CVE-2025-48057: Prevent invalid certificates from being renewed with OpenSSL older than v1.1.0.
• Fix use-after-free in VerifyCertificate(): Additionally, a use-after-free was found in the same function which is fixed as well, but in case it is triggered, typically only a wrong error code may be shown in a log message.
• Windows: Update OpenSSL shipped on Windows to v3.0.16. #10455
• Windows: Fix unknown ctest(1) --log_level argument. #10453
• Don't require to build .msi as admin. #10454