XPost: linux.debian.devel.release

This is a multi-part MIME message sent by reportbug.


Package: release.debian.org
Severity: normal
X-Debbugs-Cc: icinga2@packages.debian.org
Control: affects -1 + src:icinga2
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package icinga2

[ Reason ]
Fixes CVE-2025-48057.

[ Impact ]
Unfixed security issue.

[ Tests ]
Upstream test suite.

[ Risks ]
Low, we're not building with OpenSSL < 1.1.0.

[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing

[ Other info ]
N/A

unblock icinga2/2.14.6-1


Kind Regards,

Bas

diff -Nru icinga2-2.14.5/CHANGELOG.md icinga2-2.14.6/CHANGELOG.md
--- icinga2-2.14.5/CHANGELOG.md 2025-02-05 15:12:30.000000000 +0100
+++ icinga2-2.14.6/CHANGELOG.md 2025-05-21 12:31:48.000000000 +0200
@@ -7,6 +7,19 @@

Released closed milestones can be found on [GitHub](https://github.com/Icinga/icinga2/milestones?state=closed).

+## 2.14.6 (2025-05-27)
+
+This security release fixes a critical issue in the certificate renewal logic in Icinga 2, which
+might incorrectly renew an invalid certificate. However, only nodes with access to the Icinga CA
+private key running with OpenSSL older than version 1.1.0 (released in 2016) are vulnerable. So this
+typically affects Icinga 2 masters running on operating systems like RHEL 7 and Amazon Linux 2.
+
+* CVE-2025-48057: Prevent invalid certificates from being renewed with OpenSSL older than v1.1.0.
+* Fix use-after-free in VerifyCertificate(): Additionally, a use-after-free was found in the same
+ function which is fixed as well, but in case it is triggered, typically only a wrong error code
+ may be shown in a