Your message dated Tue, 1 Apr 2025 21:32:47 +0200
with message-id <[email protected]>
and subject line Re: Accepted icingaweb2-module-director 1.11.4-1 (source) into
unstable
has caused the Debian Bug report #1101882,
regarding icingaweb2-module-director: CVE-2025-23203
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1101882: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1101882
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: icingaweb2-module-director
Version: 1.11.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for icingaweb2-module-director.
CVE-2025-23203[0]:
| Icinga Director is an Icinga config deployment tool. A Security
| vulnerability has been found starting in version 1.0.0 and prior to
| 1.10.3 and 1.11.3 on several director endpoints of REST API. To
| reproduce this vulnerability an authenticated user with permission
| to access the Director is required (plus api access with regard to
| the api endpoints). And even though some of these Icinga Director
| users are restricted from accessing certain objects, are able to
| retrieve information related to them if their name is known. This
| makes it possible to change the configuration of these objects by
| those Icinga Director users restricted from accessing them. This
| results in further exploitation, data breaches and sensitive
| information disclosure. Affected endpoints include
| icingaweb2/director/service, if the host name is left out of the
| query; icingaweb2/directore/notification;
| icingaweb2/director/serviceset; and icingaweb2/director/scheduled-
| downtime. In addition, the endpoint
| `icingaweb2/director/services?host=filteredHostName` returns a
| status code 200 even though the services for the host is filtered.
| This in turn lets the restricted user know that the host
| `filteredHostName` exists even though the user is restricted from
| accessing it. This could again result in further exploitation of
| this information and data breaches. Icinga Director has patches in
| versions 1.10.3 and 1.11.1. If upgrading is not feasible, disable
| the director module for the users other than admin role for the time
| being.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
Note the information available is a bit confusing, so needs some
clarification if you can identify the change from 1.11.1. While the
description claims that it is fixed in 1.11.1, this is in disagreement
with the advisory itself[1], saying it is in 1.11.3 and furthermore
the actual commit restricting the endpoints is in 1.11.4[2].
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-23203
https://www.cve.org/CVERecord?id=CVE-2025-23203
[1]
https://github.com/Icinga/icingaweb2-module-director/security/advisories/GHSA-3233-ggc5-m3qg
[2]
https://github.com/Icinga/icingaweb2-module-director/commit/3fcb20178ff1722329bf8689795e6cc8e53a9978
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: icingaweb2-module-director
Source-Version: 1.11.4-1
On Tue, Apr 01, 2025 at 02:36:04PM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Format: 1.8
> Date: Tue, 01 Apr 2025 15:29:54 +0200
> Source: icingaweb2-module-director
> Architecture: source
> Version: 1.11.4-1
> Distribution: unstable
> Urgency: medium
> Maintainer: David Kunz <[email protected]>
> Changed-By: David Kunz <[email protected]>
> Closes: 1094250 1099376
> Changes:
> icingaweb2-module-director (1.11.4-1) unstable; urgency=medium
> .
> * d/rules: Remove entry for non-existent file.
> * Updating copyright for d/.
> * Adding Brazilian Portuguese debconf translations from Paulo Henrique de
> Lima
> Santana (Closes: #1094250).
> * Updating Standards-Version to 4.7.0.
> * Adding Portuguese debconf translations from Américo Monteiro
> (Closes: #1099376).
> * Merging upstream version 1.11.4.
> Checksums-Sha1:
> 622dc6d878978a33134c325b74c97691e20e6bc9 1450
> icingaweb2-module-director_1.11.4-1.dsc
> 0feca9b304d96a42e2d969198eed8aff409b08fe 3039708
> icingaweb2-module-director_1.11.4.orig.tar.xz
> bacd10de4ece3f6b5df75745bf4c2b9cac4eca28 5868
> icingaweb2-module-director_1.11.4-1.debian.tar.xz
> 9b68383988e16216991ec2ebddfa248a3db09eab 5149
> icingaweb2-module-director_1.11.4-1_amd64.buildinfo
> Checksums-Sha256:
> 6b1f822ff1d51d890ff05dbfcc5b3b4bb8ff745b225fa550585d5b99c268a59e 1450
> icingaweb2-module-director_1.11.4-1.dsc
> 4465353861716e66a6d2a794420451fcd0c2a7b7bbba9113236091ea52089e16 3039708
> icingaweb2-module-director_1.11.4.orig.tar.xz
> afa3645a29383528360a183f6ff0a18346c2f9b6579a2a319ff800e558bc085f 5868
> icingaweb2-module-director_1.11.4-1.debian.tar.xz
> 0e8293e0d618f4c43cd05cec08f3a20a1a980616f07805841808badef961182a 5149
> icingaweb2-module-director_1.11.4-1_amd64.buildinfo
> Files:
> 9c78be9f7ead976fa2be020cce32d7df 1450 admin optional
> icingaweb2-module-director_1.11.4-1.dsc
> dac00e661a7175792fb3600a6d681dc6 3039708 admin optional
> icingaweb2-module-director_1.11.4.orig.tar.xz
> 399b94ca0856ecc54fee7f476a7ee5b5 5868 admin optional
> icingaweb2-module-director_1.11.4-1.debian.tar.xz
> 7b2d3651ec5d5acf8964a58b28886093 5149 admin optional
> icingaweb2-module-director_1.11.4-1_amd64.buildinfo
>
> -----BEGIN PGP SIGNATURE-----
>
> iHUEARYIAB0WIQSQD23K0grRgZ+eimrWSi+uCV73mQUCZ+vv+gAKCRDWSi+uCV73
> mX81AP9sO+qZb4I34orG+SFfSL6Ihwtu/ClI8nch6PsfdP8NfgEA4oXGVqn1cdLR
> 0rlpMAyFH4RHfiF1+S5WHEdMHWWMxAs=
> =HiOC
> -----END PGP SIGNATURE-----
>
--- End Message ---
