- Update to 2.15.1
* Security
- CVE-2025-61907: Prevent API users from accessing variables and objects they
don't have access to within filter expressions.
This allowed authenticated API users to learn information they aren't allowed
to access directly.
- CVE-2025-61908: Add a missing null pointer check while evaluating expressions.
This allowed authenticated API users to crash the Icinga 2 daemon by supplying
a crafted filter expression.
- CVE-2025-61909: Don't send signals as root in safe-reload script and logrotate config.
This allowed a limited privilege escalation from the Icinga 2 service user to root.
The scope is limited to sending SIGHUP or SIGUSR1 to an arbitrary process. #10590
- Windows: Update to OpenSSL 3.0.18. #10591
* Bugfixes
- When a reload triggered from Icinga Director (or the /v1/config API) fails,
the corresponding state is cleared, allowing to deploy a new config
without having to restart Icinga 2 manually first. #10584
* Enhancements
- Add JSON-RPC utilization metrics and troubleshooting docs. #10586
- When sending cluster messages to other zones, prefer endpoints in the order
as specified in the zone configuration. #10587
- Track the number of JSON-RPC messages received for each message type per endpoint. #10585
- Add support for building with Boost v1.89 and use it on Windows. #10578
- Drop 76fa0d9e8054f405dc3d1e39a4b48f21e86afdf0.patch because now in upstream.
OBS-URL: https://build.opensuse.org/request/show/1311996
OBS-URL: https://build.opensuse.org/package/show/server:monitoring/icinga2?expand=0&rev=200
- Update ot 2.15.0
* Breaking Changes
- API: Fix /v1/objects/* queries with attrs set to [] to return empty attributes instead of all of them. #8169
- Drop the undocumented Checkable#process_check_result and broken System#track_parents DSL functions. #10457
* Enhancements
- Gracefully disconnect all clients on shutdown and prevent from accepting new connections. #10460
- Icinga DB: Send data to Redis® exactly as they're stored in the database to avoid extra value-mapping routines by the Go daemon. #10452
- Add support for Icinga 2 dependencies in Icinga DB. #10290
- Take host/service reachability into account when computing its severity. #10399
- Rework the dependency cycle detection to efficiently handle large configs and provide better error messages. #10360
- Don't log next check timestamp in scientific notation. #10352
- Automatically remove child downtimes when removing parent downtime. #10345
- Ensure compatibility with Boost version up to v1.88. #10278#10419
- Reject infinite performance data values. #10077
- Support host_template and service_template tags in ElasticsearchWriter. #10074
- Icinga DB: Support Redis® username authentication. #10102
- Cluster: Distribute host child objects (e.g. services, notifications, etc.) based on the host's name. #10161
- Icinga DB Check: Report an error if both Icinga DB instances are responsible in a HA setup. #10188
- Windows: upgrade build toolchain to Visual Studio 2022. #9747
* Bugfixes
* Core
- Use Checkable#check_timeout also for rescheduling remote checks. #10443
- Log: Don't unnecessarily buffer log messages that are going to be dropped anyway. #10177
- Don't loose perfdata counter (c) unit when normalizing performance data for Icinga DB. #10432
- Fix broken SELinux policy on Fedora ≥ 41 due to the new /usr/sbin to /usr/bin equivalence. #10429
- Don't load Notification objects before User and UserGroup objects to allow them to be referenced in notifications. #10427
- Ensure consistent DST handling across different platforms. #10422
- Fix Icinga 2 doesn't generate a core dump when it crashes with SIGABRT. #10416
- Don't process concurrent checks for the same checkable. #10372
- Don't process check results after the checker and API listener have been stopped. #10397
- Avoid zombie processes on plugin execution timeout on busy systems. #10375
- Properly restore the notification object state on Recovery notification. #10361
- Fix incorrectly dropped acknowledgement and recovery notifications. #10211
- Prevent checks from always being rescheduled outside the configured check_period. #10070
- Don't send reminder notifications after a Custom notification while interval is set to 0. #7818
- Reset all signal handlers of child processes to their defaults before starting a plugin. #8011
- tests: Fix FormatDateTime test cases with invalid formats on macOS and all BSD-based systems. #10149
- Mark move constructor and assignment operator in String as noexcept to allow optimizations. #10353#10365
* Cluster and API
- Fix an inverted condition in ApiListener#IsHACluster() that caused to always return true in a non-HA setup. #10417
- Don't silently accept authenticated JSON-RPC connections with no valid endpoint. #10415
- Sync Notification#notified_problem_users across the cluster to prevent lost recovery notifications. #10380
- Remove superfluous ) from a HTTP request log message. #9966
- Disable TLS renegotiation (handshake on existing connection) on OpenBSD as well. #9943
- Log also the underlying error message when a HTTP request is closed with No data received by Icinga 2. #9928
- Fix a deadlock triggered by concurrent /v1/actions/add-comment and /v1/actions/acknowledge-problem requests
on the same checkable, as well as a crash that might occur when running perfectly timed /v1/actions/add-comment
and /v1/actions/remove-comment requests targeting the same comment. #9924
* Icinga DB
- Fix missing acknowledgement and flapping history entries due to a number overflow. #10467
- Send downtime cancel_time only if it is cancelled. #10379
- Send only the necessary data to the icinga:stats Redis® stream. #10359
- Remove a spin lock in RedisConnection#Connect() to avoid busy waiting. #10265
* Writers
- Serialize all required metrics before queueing them to a WorkQueue. #10420
- OpenTsdbWriter: Include checkable name in log messages to ease troubleshooting. #10009
- OpenTsdbWriter: Don't send custom empty tags. #7928
- InfluxDBWriter: Add missing closing quote in validation error message. #10174
* ITL
- Add --maintenance_mode_state ($vmware_maintenance_mode_state) argument to vmware-esx-command check command. #10435
- Add -n ($load_procs_to_show$) argument to load check command. #10426
- Add --inode-perfdata ($disk_np_inode_perfdata$) argument to disk check command. #10395
- Add -r ($ssh_remote_version$) and -P ($ssh_remote_protocol$) arguments to ssh check command. #10283
- Add --unplugged_nics_state ($vmware_unplugged_nics_state$) argument to
vmware-esx-soap-host-net and vmware-esx-soap-host-net-nic check commands. #10261
- Add -X ($proc_exclude_process$) argument to procs check command. #10232
- Add --dane ($ssl_cert_dane$) argument to ssl_cert check command. #10196
- Fix check_ssl_cert deprecation warnings. #9758
- Fix check_systemd executable name add add all missing arguments. #10035
- Add -M ($snmp_multiplier$ & $snmpv3_multiplier$) argument to snmp and snmpv3 check commands. #9975
- Add --continue-after-certificate ($http_certificate_continue$) argument to http check command. #9974
- Add --ignore-maximum-validity ($ssl_cert_ignore_maximum_validity$) argument to ssl_cert check command. #10396
- Add --maximum-validity ($ssl_cert_maximum_validity$) argument to ssl_cert check command. #9881
- Add --url ($ssl_cert_http_url$) argument to ssl_cert check command. #9759
- Add fuse.sshfs and fuse.* (supported only by Monitoring Plugins) to the list of default disk exclude types. #9749
- Add check_curl check command. #9205
- Add the --extra-opts argument to various commands that support it. #8010
* Documentation
- Don't use dnf config-manager to configure Fedora repository and mention icingadb-redis-selinux package. #10479
- Update the outdated cold startup duration documentation to reflect the current behavior. #10446
- Indent second-level unordered lists with four spaces to correctly render them in the HTML documentation. #10441
- Add a reference to the check result state documentation from within the Advanced Topics section. #10421
- Improve the documentation of how to generate Icinga 2 core dumps. #10418
- Update Icinga 2 CLI output examples to match the current output. #10323
- Fix incorrect ping_timeout value in the hostalive check command documentation. #10069
* Code Quality
- Simplify deferred SSL shutdown in ApiListener#NewClientHandlerInternal(). #10301
- Don't unnecessarily shuffle configuration items during config load. #10008
- Sort config types by their load dependencies at namespace initialization time to save some round trips during config load. #10148
- Fix livestatus build error on macOS without unity builds. #10176
- Remove unused methods in SharedObject class. #10456
- Remove unused ProcessingResult#NoCheckResult enum value. #10444
- CMake: Drop all third-party cmake modules and use the ones shipped with CMake v3.8+. #10403
- CMake: Raise the minimum required policy to 3.8. #10402#10478
- CMake: Turn on -Wsuggest-override to warn about missing override specifiers. #10225#10356
- Make icinga::Empty a constant to prevent accidental modifications. #10224
- Remove various unused methods in the Registry class. #10222
- Fix missing parent std::atomic<T> constructor call in our Atomic<T> wrapper class. #10215
- Drop unused m_NextHeartbeat member variable from JsonRpcConnection. #10208
- Enhance some of the validation error messages. #10201
- Don't allow Type#GetLoadDependencies() to return non-config object type dependencies. #10169
- Don't allow Type#GetLoadDependencies() to return a set of nullptr type dependencies. #10155
- Remove EOL distros detection code from Utility::ReleaseHelper() function. #10147
- Remove dead code in TLS GetSignatureAlgorithm() function. #9882
- Mark Logger#GetSeverity() as non-virtual to avoid unnecessary vtable lookups. #9851
- Remove unused Stream#Peak() method and unused allow_partial parameter from Stream#Read(). #9734#9736
- Suppress compiler warnings in third-party libraries. #9732
- Fix various compiler warnings. #9731#10442
- Reduce task function allocation overhead by using a per-thread created lambda in WorkQueue. #9575
- Remove redundant trailing empty lines and add missing newlines in some files. #7799
- Drop icinga-pr10278.patch becauise now in upstream.
- Change BuildRequires from yajl to nlohmann_json because yajl is dead.
OBS-URL: https://build.opensuse.org/request/show/1287040
OBS-URL: https://build.opensuse.org/package/show/server:monitoring/icinga2?expand=0&rev=197
- Update to 2.14.6
- CVE-2025-48057: Prevent invalid certificates from being renewed with OpenSSL older than v1.1.0.
- Fix use-after-free in VerifyCertificate(): Additionally, a use-after-free was found in the same
function which is fixed as well, but in case it is triggered, typically only a wrong error code
may be shown in a log message.
- Windows: Update OpenSSL shipped on Windows to v3.0.16.
- Rebase icinga-pr10278.patch.
OBS-URL: https://build.opensuse.org/request/show/1280693
OBS-URL: https://build.opensuse.org/package/show/server:monitoring/icinga2?expand=0&rev=196
- Update to 2.14.5
* Bug Fixes
- Don't close anonymous connections before sending the response for a certificate request #10337
- Performance data: Don't discard min/max values even if crit/warn thresholds aren’t given #10339
- Fix a failing test case on systems time_t is only 32 bits #10343
* Documentation
- Document the -X option for the mail-host-notification and mail-service-notification commands #10335
- Include Nagios in the migration docs #10324
- Remove RHEL 7 from installation instructions #10334
- Add instructions for installing build dependencies on Windows Server #10336
OBS-URL: https://build.opensuse.org/request/show/1252605
OBS-URL: https://build.opensuse.org/package/show/server:monitoring/icinga2?expand=0&rev=192
- Update to 2.14.4
* Crash Fixes
- Invalid DateTime#format() arguments in config and console on Windows Server 2016 and older. #10112
- Downtime scheduling at runtime with non-existent trigger. #10049
- Object creation at runtime during Icinga DB initialization. #10151
- Comment on a service of a non-existent host. #9861
* Miscellaneous Bugfixes
- Lost notifications after recovery outside the notification time period. #10187
- TimePeriod/ScheduledDowntime exceeding specified date range. #9983#10107
- Clean up failure for obsolete Downtimes. #10062
- ifw-api check command: use correct process-finished handler. #10140
- Email notification scripts: strip 0x0D (CR) for a proper Content-Type. #10061
- Several fixes and improvements of the code quality. #10066#10214#10254#10263#10264
* Cluster and API
- Sync runtime objects in topological order to honor their dependencies. #10000
- Make parallel config syncs more robust. #10013
- After object creation via API fails, clean up properly for the next try. #10111
- Close HTTPS connections properly to prevent leaks. #10005#10006
- Reduce the number of cluster messages in memory at the same time. #9991#9999#10210
- Once a cluster connection shall be closed, stop communicating. #10213#10221
- Remove unnecessary blocking of semaphores. #9992#9994
- Reduce unnecessary cluster messages setting the next check time. #10011
* Icinga DB and IDO
- IDO: fix object relations after aborted synchronization. #10065
- Icinga DB, IDO: limit all timestamps to four year digits. #10058#10059
- Icinga DB: limit execution_time and latency (milliseconds) to database schema. #10060
* Troubleshooting
- Add /v1/debug/malloc_info which calls malloc_info(3) if available. #10015
- Add log messages about own network I/O. #9993#10141#10207
- Several fixes and improvements of log messages. #9997#10021#10209
* Windows
- Update OpenSSL shipped on Windows to v3.0.15. #10170
- Update Boost shipped on Windows to v1.86. #10114
- Support CMake v3.29. #10037
- Don't require to build .msi as admin. #10137
- Build configuration scripts: allow custom $CMAKE_ARGS. #10312
* Documentation
- Distributed Monitoring: add section "External CA/PKI". #9825
- Explain how to enable/disable debug logging on the fly. #9981
- Update supported OS versions and repository configuration. #10064#10090#10120#10135#10136#10205
- Several fixes and improvements. #9960#10050#10071#10156#10194
- Replace broken links. #10115#10118#10282
- Fix typographical and similarly trivial errors. #9953#9967#10056#10116#10152#10153#10204
OBS-URL: https://build.opensuse.org/request/show/1240023
OBS-URL: https://build.opensuse.org/package/show/server:monitoring/icinga2?expand=0&rev=191
