Releases: Icinga/icingaweb2
Icinga Web Version 2.12.6
What's New in Version 2.12.6
You can find all issues related to this release on our Roadmap.
It's Like Fine Wine
Icinga Web 2.12 is now two years old. But like fine wine, it gets better with age. Each fix and improvement included this time enhances your experience with Icinga Web. Even if just a little bit. Maybe a small annoyance is gone now, or something you didn't even notice was broken is fixed.
But let's get to it, a small selection of fixes and improvements:
Icinga Web Version 2.12.5
What's New in Version 2.12.5
You can find all issues related to this release on our roadmap.
PHP 8.4 Support
We're again a little behind schedule, but now we support PHP 8.4! This means that installations on Ubuntu 25.04 and Fedora 42+ can now install Icinga Web without worrying about PHP related incompatibilities. Icinga packages will be available in the next few days.
Good Things Take Time
There's only a single (notable) recent issue that is fixed with this release. All the others are a bit older.
- External URLs set up as dashlets are not embedded the same as navigation items #5346
But the team sat together a few weeks ago and fixed a bug here and there. And of course, also in Icinga Web!
- Users who are not allowed to change the theme, cannot change the theme mode either #5385
- Improved compatibility with several SSO authentication providers #5000, #5227
- Filtering for older-than events with relative time does not work #5263
- Empty values are NULL in CSV exports #5350
Breaking, Somewhat
This is mainly for developers.
With the support of PHP 8.4, we introduced a new environment variable, ICINGAWEB_ENVIRONMENT. Unless set to dev, Icinga Web will not show nor log deprecation notices anymore.
Icinga Web Version 2.12.4
What's New in Version 2.12.4
This is a hotfix release which fixes the following issue:
Database login broken after upgrade #5343
The following are the release notes of version 2.12.3 released earlier today. Included to keep them visible.
What's New in Version 2.12.3
Notice: This is a security release. It is recommended to upgrade immediately.
You can find all issues related to this release on our Roadmap.
Vulnerabilities, Closed
Cross site scripting is one of the worst attacks on web based platforms. Especially, if carrying it out is as easy as the first two mentioned here. You might recognize the open redirect on the login. You are correct, we attempted to fix it already with v2.11.3 but underestimated PHP's quirks. The last is difficult to exploit, hence the lowest severity of all, but don't be fooled by that!
All four of them are backported to v2.11.5.
- XSS in embedded content CVE-2025-27405
- DOM-based XSS CVE-2025-27404
- Open redirect on login page CVE-2025-30164
- Reflected XSS CVE-2025-27609
Big thanks to all finders / reporters! 👍
Bugs, Exterminated
Did you know, that we started Icinga Notifications with support for PostgreSQL first? Reason for that is, we wanted to make sure we are fully compatible with it right away. To ensure things like logging in with a PostgreSQL authentication/group backend is case-insensitive, like it was always the case for MySQL. Now it really is case-insensitive! There are also two issues fixed, which many of you will probably have noticed since v2.12.2, sorry that it took so long :)
Icinga Web Version 2.12.3
What's New in Version 2.12.3
Notice: This is a security release. It is recommended to upgrade immediately.
You can find all issues related to this release on our Roadmap.
Vulnerabilities, Closed
Cross site scripting is one of the worst attacks on web based platforms. Especially, if carrying it out is as easy as the first two mentioned here. You might recognize the open redirect on the login. You are correct, we attempted to fix it already with v2.11.3 but underestimated PHP's quirks. The last is difficult to exploit, hence the lowest severity of all, but don't be fooled by that!
All four of them are backported to v2.11.5.
- XSS in embedded content CVE-2025-27405
- DOM-based XSS CVE-2025-27404
- Open redirect on login page CVE-2025-30164
- Reflected XSS CVE-2025-27609
Big thanks to all finders / reporters! 👍
Bugs, Exterminated
Did you know, that we started Icinga Notifications with support for PostgreSQL first? Reason for that is, we wanted to make sure we are fully compatible with it right away. To ensure things like logging in with a PostgreSQL authentication/group backend is case-insensitive, like it was always the case for MySQL. Now it really is case-insensitive! There are also two issues fixed, which many of you will probably have noticed since v2.12.2, sorry that it took so long :)
Icinga Web Version 2.11.6
What's New in Version 2.11.6
This is a hotfix release which fixes the following issue:
Database login broken after upgrade #5343
The following are the release notes of version 2.11.5 released earlier today.
What's New in Version 2.11.5
Notice: This is a security release. It is recommended to upgrade immediately.
Vulnerabilities, Closed
Cross site scripting is one of the worst attacks on web based platforms. Especially, if carrying it out is as easy as the first two mentioned here. You might recognize the open redirect on the login. You are correct, we attempted to fix it already with v2.11.3 but underestimated PHP's quirks. The last is difficult to exploit, hence the lowest severity of all, but don't be fooled by that!
- XSS in embedded content CVE-2025-27405
- DOM-based XSS CVE-2025-27404
- Open redirect on login page CVE-2025-30164
- Reflected XSS CVE-2025-27609
Big thanks to all finders / reporters! 👍
Bugs, Exterminated
Did you know, that we started Icinga Notifications with support for PostgreSQL first? Reason for that is, we wanted to make sure we are fully compatible with it right away. To ensure things like logging in with a PostgreSQL authentication/group backend is case-insensitive, like it was always the case for MySQL. Now it really is case-insensitive!
Icinga Web Version 2.11.5
What's New in Version 2.11.5
Notice: This is a security release. It is recommended to upgrade immediately.
Vulnerabilities, Closed
Cross site scripting is one of the worst attacks on web based platforms. Especially, if carrying it out is as easy as the first two mentioned here. You might recognize the open redirect on the login. You are correct, we attempted to fix it already with v2.11.3 but underestimated PHP's quirks. The last is difficult to exploit, hence the lowest severity of all, but don't be fooled by that!
- XSS in embedded content CVE-2025-27405
- DOM-based XSS CVE-2025-27404
- Open redirect on login page CVE-2025-30164
- Reflected XSS CVE-2025-27609
Big thanks to all finders / reporters! 👍
Bugs, Exterminated
Did you know, that we started Icinga Notifications with support for PostgreSQL first? Reason for that is, we wanted to make sure we are fully compatible with it right away. To ensure things like logging in with a PostgreSQL authentication/group backend is case-insensitive, like it was always the case for MySQL. Now it really is case-insensitive!
Icinga Web Version 2.12.2
What's New in Version 2.12.2
You can find all issues related to this release on our Roadmap.
General Fixes
Icinga Web has become quite mature over the years. Typically, only new features cause issues and require fixing. However, there is always an exception to every rule, as shown by the issue where roles were not sorted by name. We also improved the settings menu — the one that opens when hovering over the cog icon next to your name. We heard your feedback about it closing too easily and made it more user-friendly. With v2.12.0, we introduced a new security feature, the Content-Security-Policy header, which is designed to prevent cross-site scripting attacks. Ironically, we initially forgot to include the script-src policy in it.
- Sort by name of roles does not work properly #4789
- Settings menu flyout closes too fast / easy #5196
- CSP header is missing the script-src policy #5180
Love For an Old Fellow
The monitoring module has been part of Icinga Web from the very beginning. Although it’s being replaced by Icinga DB Web, some of you still rely on it, which is why we continue to fix issues — even if they’re not entirely our responsibility, as the first example demonstrates. This particular issue only affects users on PHP 8.1 (> .24). The second issue, introduced by a contribution in v2.12.0, caused some history entries to disappear but was resolved with another contribution — a great example of teamwork. The third issue is also a testament to the module's age: Icinga 2 has automatically removed child downtimes since v2.13.0, and this is now accounted for in the module as well.
- Broken event overview due to IntlDateFormatter #5172
- Downtimes, which were started and canceled, are missing in the history #5176
- Usage of IcingaWeb2 api command returns 404, but is successful #5183
Awesome Customizations
Many of you have already tried Icinga DB Web and might have noticed it uses slightly different icons for its sidebar entries. These icons are provided by Font Awesome, and now you can use them as well. Just find a suitable icon on their website and prefix its name with fa-. If you hadn’t used an icon at all for a menu item and upgraded to Icinga DB Web, opening it will no longer result in an error. Lastly, a particularly tricky issue caused the dashboard to display dashlets twice and prevented their deletion. This should be fixed now — fingers crossed!
- Allow fontawesome icons as menu items #5205
- Error while opening a navigation root item #5177
- Dashlets twice in dashboard & not deletable #5203
Framework Enhancements
Those of you who take customization to the next level will be glad to hear that hooking into the rendering of plugin output is now easier, as the first line and long output are now combined when passed to the renderer. Anyone using the Icinga Web Graphite Integration may be familiar with this issue and will be relieved to know that graphs no longer disappear when using graph controls. And finally, a new release for Icinga Director is coming next week, which will hook into the rendering of custom variables. This feature has been available since Icinga Web v2.10.0, but it’s now slightly improved.
Icinga Web Version 2.12.1
nilmerg
Johannes Meyer
What's New in Version 2.12.1
You can find all issues related to this release on our Roadmap.
PHP 8.3 Support
This time we're a little ahead for once. PHP 8.3 is due in a week, and we are compatible with it now! There's not much else to say about it, so let's continue with the fixes.
- Support for PHP 8.3 #5136
Fixes
You may have noticed a dashboard endlessly loading in the morning after you got to work again. The web server may also have stopped that with a complaint about a too long URL. This is now fixed and the dashboard should appear as usual. Then there was an issue with our support for PostgreSQL. We learned it the hard way to avoid such already in the past again and again. Though, this one slipped through our thorough testing and prevented some from successfully migrating the database schema. It's fixed now. Another fixed issue, is that the UI looks somewhat skewed if you have CSP enabled and logged out and in again.
Icinga Web Version 2.12.0
nilmerg
Johannes Meyer
What's New in Version 2.12.0
You can find all issues related to this release on our Roadmap.
PHP 8.2 Support
This release finally adds support for the latest version of PHP, 8.2. This means that installations on Debian Bookworm, Ubuntu 23.10 and Fedora 38+ can now install Icinga Web without worrying about PHP related incompatibilities. Some of our other modules still require an update, which they will receive in the coming weeks. Next week Icinga DB Web will follow. Icinga Certificate Monitoring, Icinga Business Process Modeling and Icinga Reporting the weeks after.
- Support for PHP 8.2 #4918
Simplified Database Migrations
Anyone who already performed an upgrade of Icinga Web or some Icinga Web module in the past has done it: A database schema upgrade. This usually involved the following steps:
- Knowing that a database might need an upgrade
- Figuring out if that's true, by checking the upgrade documentation
- Alternatively relying on the users to find out about it as they're running into database errors
- Locating the upgrade file
- Connecting to the machine the database is running on
- Transferring the upgrade file over
- Importing the upgrade file into the correct database
With Icinga Web v2.12 and later, upgrade the application and, yes, still check the upgrade documentation. That's still mandatory! But if you notice there, that just a database upgrade is necessary you can simply log in and check the Migrations section in the System menu. With a single additional click you can perform the database upgrade directly in the UI then. This view also offers to migrate module databases. The earlier mentioned updates of Icinga Certificate Monitoring and Icinga Reporting will pop up there once they arrive.
- Provide a way to easily perform database migrations #5043
Content-Security-Policy Conformance
Err, what? That's an HTTP header to prevent cross site scripting attacks. (XSS) Still confused? It's a technique to stop bad individuals. A very effective technique even. You don't need to do anything, other than visiting the general configuration of Icinga Web and enabling the respective setting. The only downer here, is that support for it isn't as widespread yet as you might hope. Icinga Web itself of course has it, but not all modules. But don't worry, you might have guessed it already, those are the same modules which will receive updates in the coming weeks.
- Support for Content-Security-Policy #4528
Other Notable Changes
There are not only such big changes as previously mentioned part of this release.
Some module developers may be happy to hear that there is now more control for the server over the UI possible. And with a new Javascript event it is now possible to react upon a column's content being moved to another column. Now built-in into the framework is also an easy way to mark content in the UI as being copiable with a single click by the user.
- Allow to initiate a refresh with
__REFRESH__#5108 - Don't refresh twice upon
__CLOSE__#5106 - Add event
column-moved#5049 - Add copy-to-clipboard behavior #5041
Then there are some fixes related to other integrations. It is now possible to set up resources for Oracle databases, without a host setting, which facilitate dynamic host name resolution. A part of the monitoring module's integration into the Icinga Certificate Monitoring prevents a crash of its collector daemon in case the connection to the IDO was interrupted. And exported content, with data that has double quotes, to CSV is now correctly escaped.
Icinga Web Version 2.11.4
nilmerg
Johannes Meyer
What's New in Version 2.11.4
You can find all issues related to this release on our Roadmap.
Notable Fixes
- Add/Edit dashlet not possible #4970
- Custom library path + custom library, without slash in its name, results in exception #4971
- Reflected XSS vulnerability in User Backends config page #4979
Changes in Packaging
- The location of schema files has changed. Upgrade scripts, for example, can be found at /usr/share/icingaweb2/schema/-upgrades/. Older versions install these files to /usr/share/doc/icingaweb2/schema/-upgrades/ for RPM-based systems and /usr/share/icingaweb2/etc/schema/*-upgrades/ for Debian or Ubuntu.