Merge branch 'release-v2.16.2' into 'support/2.16'

Release v2.16.2

See merge request packages/security/icinga2!27
This commit is contained in:
Julian Brost 2026-06-24 12:48:08 +00:00
commit cfdf63b633
2 changed files with 20 additions and 1 deletions

View file

@ -7,6 +7,25 @@ documentation before upgrading to a new release.
Released closed milestones can be found on [GitHub](https://github.com/Icinga/icinga2/milestones?state=closed).
## 2.16.2 (2026-06-29)
This release fixes some critical security vulnerabilities in Icinga 2. Users are advised to upgrade immediately, as two
of them allow an unauthenticated attacker to take over or crash the Icinga 2 process over the network. The other
security fixes only affect authenticated API users.
In addition, a new permission named `filter-expression` is introduced, which allows specifying if individual API users
are allowed to use DSL filter expressions in API queries. This allows further restricting some API users that don't need
this capability, for example, those only submitting individual check results. Due to the incompatibility of this change,
enforcement of this permission is opt-in until v2.17; see the
[upgrading docs](https://icinga.com/docs/icinga-2/latest/doc/16-upgrading-icinga-2/#upgrading-to-2-16-2) for details.
* Verify that certificate update requests come from an authorized endpoint ([GHSA-vj39-ww8j-vvx5](https://github.com/Icinga/icinga2/security/advisories/GHSA-vj39-ww8j-vvx5))
* Fix stack overflow due to deeply nested data structures ([GHSA-wh38-wg57-5w7g](https://github.com/Icinga/icinga2/security/advisories/GHSA-wh38-wg57-5w7g))
* Prevent arbitrary config injection on object creation via the API ([GHSA-jgqj-x5j9-vgcm](https://github.com/Icinga/icinga2/security/advisories/GHSA-jgqj-x5j9-vgcm))
* Fix that `/v1/config/files` could send uninitialized memory in case of file I/O errors (#10871)
* Add `filter-expression` permission to make it possible to prevent API users from using DSL filter expressions
* Windows: Update bundled OpenSSL to v3.5.7 (#10893)
## 2.16.1 (2026-05-21)
This is a small release mostly to fix the issues some users were encountering in connection with perfdata writers,

View file

@ -1,2 +1,2 @@
Version: 2.16.1
Version: 2.16.2
Revision: 1