Security update for icingaweb2 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:0067-1 Final 1 1 2020-01-16T15:12:13Z current 2020-01-16T15:12:13Z 2020-01-16T15:12:13Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for icingaweb2 This update for icingaweb2 to version 2.7.3 fixes the following issues: icingaweb2 update to 2.7.3: * Fixed an issue where servicegroups for roles with filtered objects were not available icingaweb2 update to 2.7.2: * Performance imrovements and bug fixes icingaweb2 update to 2.7.1: * Highlight links in the notes of an object * Fixed an issue where sort rules were no longer working * Fixed an issue where statistics were shown with an anarchist way * Fixed an issue where wildcards could no show results icingaweb2 update to 2.7.0: * New languages support * Now module developers got additional ways to customize Icinga Web 2 * UI enhancements icingaweb2 update to 2.6.3: * Fixed various issues with LDAP * Fixed issues with timezone * UI enhancements * Stability fixes icingaweb2 update to 2.6.2: You can find issues and features related to this release on our Roadmap. This bugfix release addresses the following topics: * Database connections to MySQL 8 no longer fail * LDAP connections now have a timeout configuration which defaults to 5 seconds * User groups are now correctly loaded for externally authenticated users * Filters are respected for all links in the host and service group overviews * Fixed permission problems where host and service actions provided by modules were missing * Fixed an SQL error in the contact list view when filtering for host groups * Fixed time zone (DST) detection * Fixed the contact details view if restrictions are active * Doc parser and documentation fixes Fix security issues: - CVE-2018-18246: fixed an CSRF in moduledisable (boo#1119784) - CVE-2018-18247: fixed an XSS via /icingaweb2/navigation/add (boo#1119785) - CVE-2018-18248: fixed an XSS attack is possible via query strings or a dir parameter (boo#1119801) - CVE-2018-18249: fixed an injection of PHP ini-file directives involves environment variables as channel to send out information (boo#1119799) - CVE-2018-18250: fixed parameters that can break navigation dashlets (boo#1119800) - Remove setuid from new upstream spec file for following dirs: /etc/icingaweb2, /etc/icingaweb/modules, /etc/icingaweb2/modules/setup, /etc/icingaweb2/modules/translation, /var/log/icingaweb2 icingaweb2 updated to 2.6.1: - You can find issues and features related to this release on our [Roadmap](https://github.com/Icinga/icingaweb2/milestone/51?closed=1). - The command audit now logs a command's payload as JSON which fixes a [bug](https://github.com/Icinga/icingaweb2/issues/3535) that has been introduced in version 2.6.0. icingaweb2 was updated to 2.6.0: - You can find issues and features related to this release on our Roadmap. * Enabling you to do stuff you couldn't before - Support for PHP 7.2 added - Support for SQLite resources added - Login and Command (monitoring) auditing added with the help of a dedicated module - Pluginoutput rendering is now hookable by modules which allows to render custom icons, emojis and .. cute kitties :octocat: * Avoiding that you miss something - It's now possible to toggle between list- and grid-mode for the host- and servicegroup overviews - The servicegrid now supports to flip its axes which allows it to be put into a landscape mode - Contacts only associated with services are visible now when restricted based on host filters - Negated and combined membership filters now work as expected (#2934) - A more prominent error message in case the monitoring backend goes down - The filter editor doesn't get cleared anymore upon hitting Enter * Making your life a bit easier - The tactical overview is now filterable and can be safely put into the dashboard - It is now possible to register new announcements over the REST Api - Filtering for custom variables now works in UTF8 environments * Ensuring you understand everything - The monitoring health is now beautiful to look at and properly behaves in narrow environments - Updated German localization - Updated Italian localization * Freeing you from unrealiable things - Removed support for PHP < 5.6 - Removed support for persistent database connections The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-67 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4EYR3CRPR6ULC3DIQMEBEOTBJQVA76WI/ E-Mail link for openSUSE-SU-2020:0067-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1101357 SUSE Bug 1101357 https://bugzilla.suse.com/1119784 SUSE Bug 1119784 https://bugzilla.suse.com/1119785 SUSE Bug 1119785 https://bugzilla.suse.com/1119799 SUSE Bug 1119799 https://bugzilla.suse.com/1119800 SUSE Bug 1119800 https://bugzilla.suse.com/1119801 SUSE Bug 1119801 https://www.suse.com/security/cve/CVE-2018-18246/ SUSE CVE CVE-2018-18246 page https://www.suse.com/security/cve/CVE-2018-18247/ SUSE CVE CVE-2018-18247 page https://www.suse.com/security/cve/CVE-2018-18248/ SUSE CVE CVE-2018-18248 page https://www.suse.com/security/cve/CVE-2018-18249/ SUSE CVE CVE-2018-18249 page https://www.suse.com/security/cve/CVE-2018-18250/ SUSE CVE CVE-2018-18250 page SUSE Package Hub 12 SUSE Package Hub 15 SUSE Package Hub 15 SP1 openSUSE Leap 15.0 openSUSE Leap 15.1 icingacli-2.7.3-bp151.5.3.1 icingaweb2-2.7.3-bp151.5.3.1 icingaweb2-common-2.7.3-bp151.5.3.1 icingaweb2-vendor-HTMLPurifier-2.7.3-bp151.5.3.1 icingaweb2-vendor-JShrink-2.7.3-bp151.5.3.1 icingaweb2-vendor-Parsedown-2.7.3-bp151.5.3.1 icingaweb2-vendor-dompdf-2.7.3-bp151.5.3.1 icingaweb2-vendor-lessphp-2.7.3-bp151.5.3.1 icingaweb2-vendor-zf1-2.7.3-bp151.5.3.1 php-Icinga-2.7.3-bp151.5.3.1 icingacli-2.7.3-bp151.5.3.1 as a component of SUSE Package Hub 12 icingaweb2-2.7.3-bp151.5.3.1 as a component of SUSE Package Hub 12 icingaweb2-common-2.7.3-bp151.5.3.1 as a component of SUSE Package Hub 12 icingaweb2-vendor-HTMLPurifier-2.7.3-bp151.5.3.1 as a component of SUSE Package Hub 12 icingaweb2-vendor-JShrink-2.7.3-bp151.5.3.1 as a component of SUSE Package Hub 12 icingaweb2-vendor-Parsedown-2.7.3-bp151.5.3.1 as a component of SUSE Package Hub 12 icingaweb2-vendor-dompdf-2.7.3-bp151.5.3.1 as a component of SUSE Package Hub 12 icingaweb2-vendor-lessphp-2.7.3-bp151.5.3.1 as a component of SUSE Package Hub 12 icingaweb2-vendor-zf1-2.7.3-bp151.5.3.1 as a component of SUSE Package Hub 12 php-Icinga-2.7.3-bp151.5.3.1 as a component of SUSE Package Hub 12 icingacli-2.7.3-bp151.5.3.1 as a component of SUSE Package Hub 15 icingaweb2-2.7.3-bp151.5.3.1 as a component of SUSE Package Hub 15 icingaweb2-common-2.7.3-bp151.5.3.1 as a component of SUSE Package Hub 15 icingaweb2-vendor-HTMLPurifier-2.7.3-bp151.5.3.1 as a component of SUSE Package Hub 15 icingaweb2-vendor-JShrink-2.7.3-bp151.5.3.1 as a component of SUSE Package Hub 15 icingaweb2-vendor-Parsedown-2.7.3-bp151.5.3.1 as a component of SUSE Package Hub 15 icingaweb2-vendor-dompdf-2.7.3-bp151.5.3.1 as a component of SUSE Package Hub 15 icingaweb2-vendor-lessphp-2.7.3-bp151.5.3.1 as a component of SUSE Package Hub 15 icingaweb2-vendor-zf1-2.7.3-bp151.5.3.1 as a component of SUSE Package Hub 15 php-Icinga-2.7.3-bp151.5.3.1 as a component of SUSE Package Hub 15 icingacli-2.7.3-bp151.5.3.1 as a component of SUSE Package Hub 15 SP1 icingaweb2-2.7.3-bp151.5.3.1 as a component of SUSE Package Hub 15 SP1 icingaweb2-common-2.7.3-bp151.5.3.1 as a component of SUSE Package Hub 15 SP1 icingaweb2-vendor-HTMLPurifier-2.7.3-bp151.5.3.1 as a component of SUSE Package Hub 15 SP1 icingaweb2-vendor-JShrink-2.7.3-bp151.5.3.1 as a component of SUSE Package Hub 15 SP1 icingaweb2-vendor-Parsedown-2.7.3-bp151.5.3.1 as a component of SUSE Package Hub 15 SP1 icingaweb2-vendor-dompdf-2.7.3-bp151.5.3.1 as a component of SUSE Package Hub 15 SP1 icingaweb2-vendor-lessphp-2.7.3-bp151.5.3.1 as a component of SUSE Package Hub 15 SP1 icingaweb2-vendor-zf1-2.7.3-bp151.5.3.1 as a component of SUSE Package Hub 15 SP1 php-Icinga-2.7.3-bp151.5.3.1 as a component of SUSE Package Hub 15 SP1 icingacli-2.7.3-bp151.5.3.1 as a component of openSUSE Leap 15.0 icingaweb2-2.7.3-bp151.5.3.1 as a component of openSUSE Leap 15.0 icingaweb2-common-2.7.3-bp151.5.3.1 as a component of openSUSE Leap 15.0 icingaweb2-vendor-HTMLPurifier-2.7.3-bp151.5.3.1 as a component of openSUSE Leap 15.0 icingaweb2-vendor-JShrink-2.7.3-bp151.5.3.1 as a component of openSUSE Leap 15.0 icingaweb2-vendor-Parsedown-2.7.3-bp151.5.3.1 as a component of openSUSE Leap 15.0 icingaweb2-vendor-dompdf-2.7.3-bp151.5.3.1 as a component of openSUSE Leap 15.0 icingaweb2-vendor-lessphp-2.7.3-bp151.5.3.1 as a component of openSUSE Leap 15.0 icingaweb2-vendor-zf1-2.7.3-bp151.5.3.1 as a component of openSUSE Leap 15.0 php-Icinga-2.7.3-bp151.5.3.1 as a component of openSUSE Leap 15.0 icingacli-2.7.3-bp151.5.3.1 as a component of openSUSE Leap 15.1 icingaweb2-2.7.3-bp151.5.3.1 as a component of openSUSE Leap 15.1 icingaweb2-common-2.7.3-bp151.5.3.1 as a component of openSUSE Leap 15.1 icingaweb2-vendor-HTMLPurifier-2.7.3-bp151.5.3.1 as a component of openSUSE Leap 15.1 icingaweb2-vendor-JShrink-2.7.3-bp151.5.3.1 as a component of openSUSE Leap 15.1 icingaweb2-vendor-Parsedown-2.7.3-bp151.5.3.1 as a component of openSUSE Leap 15.1 icingaweb2-vendor-dompdf-2.7.3-bp151.5.3.1 as a component of openSUSE Leap 15.1 icingaweb2-vendor-lessphp-2.7.3-bp151.5.3.1 as a component of openSUSE Leap 15.1 icingaweb2-vendor-zf1-2.7.3-bp151.5.3.1 as a component of openSUSE Leap 15.1 php-Icinga-2.7.3-bp151.5.3.1 as a component of openSUSE Leap 15.1 Icinga Web 2 before 2.6.2 has CSRF via /icingaweb2/config/moduledisable?name=monitoring to disable the monitoring module, or via /icingaweb2/config/moduleenable?name=setup to enable the setup module. CVE-2018-18246 SUSE Package Hub 12:icingacli-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-common-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-vendor-HTMLPurifier-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-vendor-JShrink-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-vendor-Parsedown-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-vendor-dompdf-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-vendor-lessphp-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-vendor-zf1-2.7.3-bp151.5.3.1 SUSE Package Hub 12:php-Icinga-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingacli-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-common-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-vendor-HTMLPurifier-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-vendor-JShrink-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-vendor-Parsedown-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-vendor-dompdf-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-vendor-lessphp-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-vendor-zf1-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:php-Icinga-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingacli-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-common-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-vendor-HTMLPurifier-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-vendor-JShrink-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-vendor-Parsedown-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-vendor-dompdf-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-vendor-lessphp-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-vendor-zf1-2.7.3-bp151.5.3.1 SUSE Package Hub 15:php-Icinga-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingacli-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-common-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-vendor-HTMLPurifier-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-vendor-JShrink-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-vendor-Parsedown-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-vendor-dompdf-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-vendor-lessphp-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-vendor-zf1-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:php-Icinga-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingacli-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-common-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-vendor-HTMLPurifier-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-vendor-JShrink-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-vendor-Parsedown-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-vendor-dompdf-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-vendor-lessphp-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-vendor-zf1-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:php-Icinga-2.7.3-bp151.5.3.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4EYR3CRPR6ULC3DIQMEBEOTBJQVA76WI/ https://www.suse.com/security/cve/CVE-2018-18246.html CVE-2018-18246 https://bugzilla.suse.com/1119784 SUSE Bug 1119784 Icinga Web 2 before 2.6.2 has XSS via the /icingaweb2/navigation/add icon parameter. CVE-2018-18247 SUSE Package Hub 12:icingacli-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-common-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-vendor-HTMLPurifier-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-vendor-JShrink-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-vendor-Parsedown-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-vendor-dompdf-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-vendor-lessphp-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-vendor-zf1-2.7.3-bp151.5.3.1 SUSE Package Hub 12:php-Icinga-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingacli-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-common-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-vendor-HTMLPurifier-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-vendor-JShrink-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-vendor-Parsedown-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-vendor-dompdf-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-vendor-lessphp-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-vendor-zf1-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:php-Icinga-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingacli-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-common-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-vendor-HTMLPurifier-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-vendor-JShrink-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-vendor-Parsedown-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-vendor-dompdf-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-vendor-lessphp-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-vendor-zf1-2.7.3-bp151.5.3.1 SUSE Package Hub 15:php-Icinga-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingacli-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-common-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-vendor-HTMLPurifier-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-vendor-JShrink-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-vendor-Parsedown-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-vendor-dompdf-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-vendor-lessphp-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-vendor-zf1-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:php-Icinga-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingacli-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-common-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-vendor-HTMLPurifier-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-vendor-JShrink-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-vendor-Parsedown-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-vendor-dompdf-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-vendor-lessphp-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-vendor-zf1-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:php-Icinga-2.7.3-bp151.5.3.1 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4EYR3CRPR6ULC3DIQMEBEOTBJQVA76WI/ https://www.suse.com/security/cve/CVE-2018-18247.html CVE-2018-18247 https://bugzilla.suse.com/1119785 SUSE Bug 1119785 Icinga Web 2 has XSS via the /icingaweb2/monitoring/list/services dir parameter, the /icingaweb2/user/list query string, the /icingaweb2/monitoring/timeline query string, or the /icingaweb2/setup query string. CVE-2018-18248 SUSE Package Hub 12:icingacli-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-common-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-vendor-HTMLPurifier-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-vendor-JShrink-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-vendor-Parsedown-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-vendor-dompdf-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-vendor-lessphp-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-vendor-zf1-2.7.3-bp151.5.3.1 SUSE Package Hub 12:php-Icinga-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingacli-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-common-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-vendor-HTMLPurifier-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-vendor-JShrink-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-vendor-Parsedown-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-vendor-dompdf-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-vendor-lessphp-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-vendor-zf1-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:php-Icinga-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingacli-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-common-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-vendor-HTMLPurifier-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-vendor-JShrink-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-vendor-Parsedown-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-vendor-dompdf-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-vendor-lessphp-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-vendor-zf1-2.7.3-bp151.5.3.1 SUSE Package Hub 15:php-Icinga-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingacli-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-common-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-vendor-HTMLPurifier-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-vendor-JShrink-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-vendor-Parsedown-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-vendor-dompdf-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-vendor-lessphp-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-vendor-zf1-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:php-Icinga-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingacli-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-common-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-vendor-HTMLPurifier-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-vendor-JShrink-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-vendor-Parsedown-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-vendor-dompdf-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-vendor-lessphp-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-vendor-zf1-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:php-Icinga-2.7.3-bp151.5.3.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4EYR3CRPR6ULC3DIQMEBEOTBJQVA76WI/ https://www.suse.com/security/cve/CVE-2018-18248.html CVE-2018-18248 https://bugzilla.suse.com/1119801 SUSE Bug 1119801 Icinga Web 2 before 2.6.2 allows injection of PHP ini-file directives via vectors involving environment variables as the channel to send information to the attacker, such as a name=${PATH}_${APACHE_RUN_DIR}_${APACHE_RUN_USER} parameter to /icingaweb2/navigation/add or /icingaweb2/dashboard/new-dashlet. CVE-2018-18249 SUSE Package Hub 12:icingacli-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-common-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-vendor-HTMLPurifier-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-vendor-JShrink-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-vendor-Parsedown-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-vendor-dompdf-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-vendor-lessphp-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-vendor-zf1-2.7.3-bp151.5.3.1 SUSE Package Hub 12:php-Icinga-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingacli-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-common-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-vendor-HTMLPurifier-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-vendor-JShrink-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-vendor-Parsedown-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-vendor-dompdf-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-vendor-lessphp-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-vendor-zf1-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:php-Icinga-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingacli-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-common-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-vendor-HTMLPurifier-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-vendor-JShrink-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-vendor-Parsedown-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-vendor-dompdf-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-vendor-lessphp-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-vendor-zf1-2.7.3-bp151.5.3.1 SUSE Package Hub 15:php-Icinga-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingacli-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-common-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-vendor-HTMLPurifier-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-vendor-JShrink-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-vendor-Parsedown-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-vendor-dompdf-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-vendor-lessphp-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-vendor-zf1-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:php-Icinga-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingacli-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-common-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-vendor-HTMLPurifier-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-vendor-JShrink-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-vendor-Parsedown-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-vendor-dompdf-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-vendor-lessphp-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-vendor-zf1-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:php-Icinga-2.7.3-bp151.5.3.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4EYR3CRPR6ULC3DIQMEBEOTBJQVA76WI/ https://www.suse.com/security/cve/CVE-2018-18249.html CVE-2018-18249 https://bugzilla.suse.com/1119799 SUSE Bug 1119799 Icinga Web 2 before 2.6.2 allows parameters that break navigation dashlets, as demonstrated by a single '$' character as the Name of a Navigation item. CVE-2018-18250 SUSE Package Hub 12:icingacli-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-common-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-vendor-HTMLPurifier-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-vendor-JShrink-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-vendor-Parsedown-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-vendor-dompdf-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-vendor-lessphp-2.7.3-bp151.5.3.1 SUSE Package Hub 12:icingaweb2-vendor-zf1-2.7.3-bp151.5.3.1 SUSE Package Hub 12:php-Icinga-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingacli-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-common-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-vendor-HTMLPurifier-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-vendor-JShrink-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-vendor-Parsedown-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-vendor-dompdf-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-vendor-lessphp-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:icingaweb2-vendor-zf1-2.7.3-bp151.5.3.1 SUSE Package Hub 15 SP1:php-Icinga-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingacli-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-common-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-vendor-HTMLPurifier-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-vendor-JShrink-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-vendor-Parsedown-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-vendor-dompdf-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-vendor-lessphp-2.7.3-bp151.5.3.1 SUSE Package Hub 15:icingaweb2-vendor-zf1-2.7.3-bp151.5.3.1 SUSE Package Hub 15:php-Icinga-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingacli-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-common-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-vendor-HTMLPurifier-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-vendor-JShrink-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-vendor-Parsedown-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-vendor-dompdf-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-vendor-lessphp-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:icingaweb2-vendor-zf1-2.7.3-bp151.5.3.1 openSUSE Leap 15.0:php-Icinga-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingacli-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-common-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-vendor-HTMLPurifier-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-vendor-JShrink-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-vendor-Parsedown-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-vendor-dompdf-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-vendor-lessphp-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:icingaweb2-vendor-zf1-2.7.3-bp151.5.3.1 openSUSE Leap 15.1:php-Icinga-2.7.3-bp151.5.3.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4EYR3CRPR6ULC3DIQMEBEOTBJQVA76WI/ https://www.suse.com/security/cve/CVE-2018-18250.html CVE-2018-18250 https://bugzilla.suse.com/1119800 SUSE Bug 1119800