* PHP 8.4 Support
We're again a little behind schedule, but now we support PHP 8.4!
This means that installations on Ubuntu 25.04 and Fedora 42+ can
now install Icinga Web without worrying about PHP related
incompatibilities. Icinga packages will be available in the
next few days.
* Good Things Take Time
There's only a single (notable) recent issue that is fixed
with this release. All the others are a bit older.
- External URLs set up as dashlets are not embedded the same
as navigation items #5346
* But the team sat together a few weeks ago and fixed a bug here
and there. And of course, also in Icinga Web!
- Users who are not allowed to change the theme, cannot change
the theme mode either #5385
- Improved compatibility with several SSO authentication
providers #5000, #5227
- Filtering for older-than events with relative time does not
work #5263
- Empty values are NULL in CSV exports #5350
* Breaking, Somewhat
This is mainly for developers.
With the support of PHP 8.4, we introduced a new environment
variable, ICINGAWEB_ENVIRONMENT. Unless set to dev, Icinga Web
will not show nor log deprecation notices anymore.
OBS-URL: https://build.opensuse.org/package/show/server:monitoring/icingaweb2?expand=0&rev=116
- XSS in embedded content CVE-2025-27405
- DOM-based XSS CVE-2025-27404
- Open redirect on login page CVE-2025-30164
- Reflected XSS CVE-2025-27609
- Login against Postgres DB is case-sensitive #5223
- Role list has no functioning quick search #5300
- After clicking on Check now, the page does not refresh itself #5293
- Service States display wrong since update to 2.12.2 #5290
OBS-URL: https://build.opensuse.org/package/show/server:monitoring/icingaweb2?expand=0&rev=113
- Sort by name of roles does not work properly #4789
- Settings menu flyout closes too fast / easy #5196
- CSP header is missing the script-src policy #5180
- Broken event overview due to IntlDateFormatter #5172
- Downtimes, which were started and canceled, are missing in the history #5176
- Usage of IcingaWeb2 api command returns 404, but is successful #5183
- Allow fontawesome icons as menu items #5205
- Error while opening a navigation root item #5177
- Dashlets twice in dashboard & not deletable #5203
- PluginOutputRenderer gets called twice #5271
- Graphs disappear after form controls are used #4996
- Make subgroups of custom variables fully collapsible #5256
OBS-URL: https://build.opensuse.org/package/show/server:monitoring/icingaweb2?expand=0&rev=107
- Update to 2.11.3
This is a security release.
* Minor to Medium Vulnerabilities
- Open Redirects for logged in users #4945
- SSH Resource Configuration form XSS Bug #4947
- Dashlets allow the user to run Javascript code #4959
- Role member suggestion endpoint is reachable for unauthorized
users #4961
* The More Usual Dose of Fixes
- Browser print dialog result broken #4957
- Shared navigation items are not accessible #4953
- While using dropdown filter menu it gets closed automatically
due to autorefresh #4942
OBS-URL: https://build.opensuse.org/request/show/1042955
OBS-URL: https://build.opensuse.org/package/show/server:monitoring/icingaweb2?expand=0&rev=92
- Update to 2.11.0
* Enhancements, Some
- Support for PHP 8.1 #4609
- Redesign User Menu #4651
- &showFullscreen suppresses announcements #4596
* Fixes, More
- Navigation item filter * not working #4772
- Objects with a * in the name are not found #4682
- Theme mode switch disabled on theme with mode support #4744
* When developers become cleaning maniacs
- User preferences in INI files not supported anymore #4765
- mysql: use of utf8 vs utfmb4 #4680
- Remove Vagrant file and its assets #4762
- Update to 2.10.3
This release mainly ensures compatibility with icinga-php-library
v0.9.0 and Icinga DB Web 1.0.0. Two fixes regarding the theme
mode support are also included (#4744 and #4835)
OBS-URL: https://build.opensuse.org/request/show/986197
OBS-URL: https://build.opensuse.org/package/show/server:monitoring/icingaweb2?expand=0&rev=86
- Update to 2.10.1
- Clicking anywhere on a list item in the dashboard now opens the
primary link again, instead of nothing #4710
- The Check Now and Remove Acknowledgement quick actions in an
object's detail header are now working again #4711
- Clicking on the big number in the tactical overview if there
are UNKNOWN services, shows UNKNOWN services now #4714
- The contrast of text in the sidebar, while in light mode,
has been increased #4720
- A theme without mode support, which is set globally,
now also prevents users from configuring the mode #4723
- Drop 6498d8b035cbaa287d67a61b3f09310a191a5e10.patch,
because now in upstream.
OBS-URL: https://build.opensuse.org/request/show/967315
OBS-URL: https://build.opensuse.org/package/show/server:monitoring/icingaweb2?expand=0&rev=84
- Update to 2.9.6
* Security Fixes
Please check the advisories on GitHub for more details.
- Path traversal in static library file requests for
unauthenticated users GHSA-5p3f-rh28-8frw
- SSH resources allow arbitrary code execution for
authenticated users GHSA-v9mv-h52f-7g63
- Unwanted disclosure of hosts and related data, linked to
decommissioned services GHSA-qcmg-vr56-x9wf
OBS-URL: https://build.opensuse.org/request/show/960286
OBS-URL: https://build.opensuse.org/package/show/server:monitoring/icingaweb2?expand=0&rev=78
Main impulse was to have a working php-fpm out-of-the-box experience,
when installing the package. Especially, as this is also the recommended
way from Upstream (running icingaweb2 via apache and php-fpm).
Found some other, small topics during investigation (namely rpmlint
warnings/errors. The missing official openSUSE group 'icingaweb2' is
meanwhile accepted upstream:
https://github.com/rpm-software-management/rpmlint/pull/784
- introduce new package icingaweb2-php-fpm, which contains a
configuration file for php-fpm
+ Since php-fpm 7.4, systemd does not allow the process to edit any
system files. As icingaweb2 nevertheless wants to edit the
configuration in /etc/icingaweb2, add a systemd override file
php-fpm.service.override and place it in
/usr/lib/systemd/system/php-fpm.service.d/20-icingaweb2.conf
+ Try to detect the "right" php-fpm config directory during
build time -> BuildRequire php to run
php -r "print PHP_MAJOR_VERSION;"
- remove not needed files (zero size or scripts that are used only
for building)
- weaken the requirements for mysql and pgsql: only one of these
modules is usually only needed. Require the virtual php_any_db
instead, which is provided by both modules.
OBS-URL: https://build.opensuse.org/request/show/944231
OBS-URL: https://build.opensuse.org/package/show/server:monitoring/icingaweb2?expand=0&rev=76
- Update to 2.9.5
* This is a hotfix release which fixes the following issues:
- Some detail views of Icinga Director and other modules are
broken with Web 2.9.4 #4598
- Error on skipping LDAP Discovery #4603
- Update to 2.9.4
* Broken Preference Configuration
- Config/Preferences not accessible without config.ini #4504
- "My Account" broken after Upgrade from 2.8.2 to 2.9.3 #4512
* Notable Fixes in the UI
- Proposal for new Feature make comments collapsible #4515
- new line character is being removed in the plugin output #4522
* Less Notable But No Less Important Fixes
- announcements request clears focus #4543
- js: Fix regression for loading dependent modules for sub-containers #4533
- Changes from 2.9.3
* Staying remembered on RHEL/CentOS 7 now possible
- Stay Logged In - Unknown cipher algorithm #4493
* Missing icons with SLES/OpenSUSE 15
- Missing fileinfo php extension on SLES/OpenSUSE 15+ #4503
* Child downtimes for services are now removed automatically
- If appropriate, set the API parameter all_services for schedule-downtime #4501
- Changes from 2.9.2
This is a hotfix release. v2.9.1 included a change that wasn't
compatible with PostgreSQL again. This has been fixed in this
release. (#4490)
- Changes from 2.9.1
* Pancakes everywhere
- Nested custom variables are flattened #4439
- Disable login orb animation and all orbs for themes #4468
- SVG chart library doesn't process input as UTF-8 #4462
* Staying remembered too difficult
- RememberMe not working with only PostgreSQL #4441
- RememberMe compatibility with php version 5.6+ #4472
- RememberMe fails after running the wizard for grants #4434
* Being picky pays off
- Datetimepicker not usable by keyboard #4442
- Close the datepicker automatically #4461
- Paragraphs in Acknowledge/Downtime not possible #4443
- Changes from 2.9.0
* Icinga DB
- We continue our endeavour soon. Icinga Web 2 is still a
crucial part of it and this update is again required for
Icinga DB. If you like to participate again, don't forget
to update Icinga Web 2 as well.
* Security Fixes
This release includes two security related fixes. Both were
published as part of a security advisory on Github. They allow
the circumvention of custom variable protection rules and
blacklists as well as a path traversal if the doc module is
enabled. Please check the respective advisory for details.
- Custom variable protection and blacklists can be circumvented GHSA-2xv9-886q-p7xx
- Possible path traversal by use of the doc module GHSA-cmgc-h4cx-3v43
* RBAC, The Elephant In Icinga Web 2
- Authorization enhancements #4306
- Audit View #4336
- Highlight modules with permissions set inside a role #4241
* Support for PHP 8
- Support PHP 8 #4289
- Raise minimum required PHP version to 7.3 #4397
* Stay, Be Remembered
- Implement a "remember me" feature #2495
* It Does Matter, When
- Add datetime picker widget #4354
- Expire Option for Comments #3447
- Custom defaults for downtime end, comment and duration #4364
OBS-URL: https://build.opensuse.org/request/show/933116
OBS-URL: https://build.opensuse.org/package/show/server:monitoring/icingaweb2?expand=0&rev=75
