Icinga Security Releases – 1.10.2, 1.9.4, 1.8.5

icingacoreFollowing up on our recent Icinga 1.10.2 bug fix release, we have backported patches to older versions and now present 1.8.5 and 1.9.4 for download.

These two new bug fix releases are important for users who allow public access to their Classic UI. In particular they deal with susceptibilities to:

  • (CVE-2013-7106) Buffer overflow errors, as fixed in #5250
  • (CVE-2013-7108) Off-by-one errors, as fixed in #5251

Please note: CVE-2013-7107 was identified and is being addressed with issue #5346. A fix will be integrated into Icinga 1.11. In the meantime, we recommend users with vulnerabilities to manage their user rights accordingly in the Classic UI.

Once again we thank the DTAG Group Information Security for their advice.

For a quick upgrade, keep an eye on our auto-built packages. As always, we welcome your feedback on our development tracker and support channels.

Icinga 1.10.2 Bug Fix Release

icingacoreIcinga 1.10.2 is out for download and is our prompt response to potential security issues. In particular, this release is recommended for users who allow public access to their Classic UI.

Aside from this, Icinga 1.10.2 irons out Oracle compiling and upgrading in IDOUtils and adds a few minor config related fixes to the Core. See our change log for more details.

Thanks to all users who have contributed their patches and bug reports, and special kudos goes to DTAG Group Information Security for alerting us to the security threats. Our development tracker is always open and we look forward to receiving your continued feedback.



  • Add an Icinga syntax plugin for Vim #4150 – LE/MF
  • Document dropped options log_external_commands_user and event_profiling_enabled #4957 – BA
  • Type in spec file on ido2db startup #5000 – MF
  • Build fails: xdata/xodtemplate.c requires stdint.h #5021 – SH


  • Fix status output in JSON format not including short and long plugin output properly #5217 – RB
  • Fix possible buffer overflows #5250 – RB
  • Fix Off-by-one memory access in process_cgivars() #5251 – RB


  • IDOUtils Oracle compile error #5059 – TD
  • Oracle update script 1.10.0 failes while trying to drop nonexisting index #5256 – RB

v1.10 Feature Preview: New Classic UI Filters

Icinga Classic UI users brace yourselves: clickable custom filters are on their way. If you really prefer to filter via URL, you are welcome to continue to do so, but the less swift of hand can look forward to:



Simply click on “Set Filters” and a pop up window with a range of options will appear. Click away and apply, to have your hosts or services filtered as you please.

From seeing which services are currently in WARNING or UNHANDLED states, to seeing which of them have notifications enabled or are flapping, the new filter ought to make Classic UI just that bit more intuitive and enjoyable to use.

Cheers to stku for the (longstanding) feature request, and my girlfriend for bearing with me while I cursed away at my computer upon discovering an annoying mistake in the source code. The curious will find my rants in the code on git.

We hope you look forward to Icinga 1.10 coming in 50 days as much as we do.

CVE-2013-2214 not valid for Icinga Classic UI

You may have seen CVE-2013-2214 allowing non-authorized users to view certain details in servicegroups. Ricardo verified the CVE details against Icinga Classic UI, and enlightened me that this behaviour was fixed long time ago. Icinga Classic UI first fetches all the data, applies filters and authorization checks against it, and then displays that data set not allowing any flaws here.

So you can fully ignore the CVE, it only applies to Nagios even if stated otherwise somewhere.

To WAP or not to WAP?

Team Icinga is toying with the idea of branching away from Nagios’ WAP interface. For those unfamiliar with it, the WAP interface was designed to display network status details on small LCD screens for mobiles before the advent of the smartphone.

With it you could view host group summaries, host and service statuses, (de)activate checks and notifications as well as acknowledge problems – all from your internet-enabled Nokia 6100.

Sadly since forking 3 years ago, we have not heard a single word on it from users, let alone bug reports or feature requests.

Combined with the fact that Icinga Mobile, Android and iOS apps are very cool – we’re thinking about removing WAP functionality from the CGIs, and investing our efforts elsewhere. But just to be sure, we thought we’d check with you – our Icinga user and developer community first:

[poll id=”10″]


Icinga Reporting – For Icinga-Web & Classic UI Users

In version 1.5, we released an Icinga Reporting Cronk pre-installed in the Icinga-Web interface. Though Icinga-Web users maybe happy, perhaps Icinga Classic users might appreciate the ability to generate flash looking reports too. Good news is, Icinga Reporting can also be used as an add-on to the JasperReports interface to edit, generate and send reports using data from the Icinga Core.

Integrating Icinga Reporting is simple, all you require is:

– a JasperReports server,

Icinga Core with a configured MySQL database and IDOUtils enabled

Icinga Reporting package

and the rest is very simple, as ernestoongaro shows in his Youtube webcast:

JasperReports Server with Icinga Monitoring
(Part 1: Installation)


Also, for those who would like to edit the existing report templates or create their own, ernestoongaro gives a quick introduction to Jasper’s iReport WYSIWG editor:

JasperReports Server with Icinga Monitoring
(Part 2: Usage & Basic Report Development)

Cheers to Ernesto for his easy-to-follow webcasts!

More information

Read more on Icinga Reporting’s features and how Icinga Reporting works. To get installation advice, see our Icinga Reporting Wiki articles.