π ~4 min read β’ Source: pkgsrc audit-packages entry
Related CVEs: CVE-2021-32739 CVE-2025-48057 CVE-2025-61909 CVE-2024-49369 CVE-2021-32743 CVE-2021-37698 CVE-2025-61907 CVE-2025-61908
Upstream summary: pkgsrc audit-packages flagged icinga2<2.12.5 for vulnerability class 'privilege-escalation'. Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-32739
Table of contents
Symptom & Impact
On NetBSD 10.0 hosts that have icinga2 installed from pkgsrc, operators report behaviour consistent with the pkgsrc audit-packages entry entry: pkg_admin audit flags the installed package as vulnerable, services launched from /etc/rc.d that link against icinga2 may misbehave or refuse to start after an upgrade, and β for security-rated advisories β the host is exposed to the vulnerability set above. Impact ranges from a single service restart cycle to a full availability incident when icinga2 sits on the serving path of an NetBSD server.
Environment & Reproduction
Reproduction targets NetBSD 10.0. Confirm release, kernel, and installed package state:
uname -a
cat /etc/release
sysctl kern.version
sysctl kern.osrelease
pkg_info -e icinga2 && pkg_info icinga2 | head -20
pkgin list | wc -lTrigger the workflow that exposes icinga2 β multiple vulnerabilities (8 CVEs) β patch and remediation guide while collecting:
tail -200 /var/log/messages
tail -200 /var/log/authlog
dmesg | tail -200
# pkgsrc transaction log (location varies; check both):
tail -200 /var/db/pkgin/pkg_install-err.log 2>/dev/null
tail -200 /var/log/pkgsrc.log 2>/dev/nullRoot Cause Analysis
Root cause is tracked at pkgsrc audit-packages entry. NetBSD pkgsrc-security maintains the pkg-vulnerabilities feed consumed by pkg_admin audit; hosts running a pre-fix build of icinga2 remain exposed. Correlate audit output with system logs and kernel state to identify the change that introduced the failure mode:
sudo pkg_admin fetch-pkg-vulnerabilities # refresh the audit feed first
sudo pkg_admin audit-pkg icinga2 # per-package audit
sudo pkg_admin audit # full-system audit
tail -500 /var/log/messages
sysctl kern.lastpid kern.osreldate
# Verify the running base kernel matches the on-disk image:
cksum -a sha256 /netbsdQuick Triage
Run these checks on NetBSD 10.0 to confirm the failure mode and the current state of icinga2:
pkgin search ^icinga2$ # confirm pkgin can see it
pkgin show-deps icinga2 # forward dependencies
pkgin show-rev-deps icinga2 # reverse dependencies
sudo pkg_admin audit-pkg icinga2 # audit just this package
tail -100 /var/log/messages
tail -100 /var/log/authlog
dmesg | tail -100
# If icinga2 ships an rc.d script (script name may differ, e.g.
# bindβnamed, phpβphp_fpm, apacheβapache), check it:
grep -l icinga2 /etc/rc.d/* 2>/dev/null
service -e 2>/dev/null | grep -i icinga2
# Firewall posture (npf is default in NetBSD 10; ipf still available):
npfctl show 2>/dev/null || ipfstat -hin 2>/dev/nullStep-by-Step Diagnosis
-
Refresh the pkgsrc audit feed and run a full system audit.
sudo pkg_admin fetch-pkg-vulnerabilities sudo pkg_admin audit -
Tail live logs while reproducing the issue.
tail -F /var/log/messages tail -F /var/log/authlog dmesg | tail -200 -
Inspect firewall rules β NetBSD 10 defaults to
npf, older deployments may still runipf.npfctl rule "block-in" list 2>/dev/null npfctl show 2>/dev/null ipfstat -hin 2>/dev/null ipfstat -nio 2>/dev/null -
Confirm enabled services in
/etc/rc.confand current daemon state.grep -E '=YES' /etc/rc.conf service -e 2>/dev/null | grep -i icinga2 sudo service <rc-script-name> status -
Verify the on-disk integrity of the package files for
icinga2.pkg_admin check icinga2 pkg_info -L icinga2 | xargs -I{} cksum -a sha256 {} 2>/dev/null | head -
Correlate findings with the NetBSD source CVS log and pkgsrc audit-packages entry to pin the change that introduced icinga2 β multiple vulnerabilities (8 CVEs) β patch and remediation guide.
Solution – Primary Fix
Refresh the pkgsrc package index and upgrade icinga2 (and its dependants) through pkgsrc audit-packages entry:
sudo pkgin update
sudo pkgin upgrade icinga2 # single package
sudo pkgin full-upgrade # whole-system pkgsrc upgrade
sudo pkg_admin fetch-pkg-vulnerabilities
sudo pkg_admin audit-pkg icinga2 # confirm no remaining audit entry
# If icinga2 ships an rc.d service, restart it (the rc-script name may differ from pkg name):
# sudo service <rc-script-name> restartFor administrators who build from a local pkgsrc tree:
# Refresh the tree (CVS) or pull a fresh tarball:
cd /usr/pkgsrc && sudo cvs -q update -dP
cd /usr/pkgsrc/<category>/icinga2 && sudo make replace clean
# Or rebuild + binary package output:
cd /usr/pkgsrc/<category>/icinga2 && sudo make package-installFor base-system fixes, NetBSD does not ship binary syspatches like OpenBSD. Rebuild from source (CVS or release tarball) or move to a newer build:
# Option A: in-place upgrade via the sysupgrade pkgsrc tool:
sudo pkgin install sysupgrade
sudo sysupgrade auto https://nycdn.NetBSD.org/pub/NetBSD-daily/netbsd-10/latest/amd64/
# Option B: rebuild from the source tree:
cd /usr/src && sudo ./build.sh -O /var/obj -T /var/tools -U tools
cd /usr/src && sudo ./build.sh -O /var/obj -T /var/tools -U distribution
cd /usr/src && sudo ./build.sh -O /var/obj -T /var/tools -U install=/
# Option C: fetch a HEAD/release tarball and extract base.tgz over /:
cd /var/tmp && ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/netbsd-10/latest/amd64/binary/sets/base.tgz
cd / && sudo tar xzpf /var/tmp/base.tgzReboot only if the upgrade replaced the kernel (/netbsd) or shared libraries used by long-running daemons.
Need help rolling this patch across a NetBSD fleet? Our IT Solutions & Services team supports NetBSD server fleets and pkgsrc-on-other-OS deployments with audit-packages automation. Get in touch for a free consultation.
Solution – Alternative Approaches
If the primary fix is not viable, choose from these alternatives:
-
Pin the package on its current version while staging a coordinated rollout. pkgsrc has no first-class “lock” so document and reinstall from a saved binary:
pkg_info -X icinga2 > /root/icinga2.pin.txt # Save the current .tgz from /usr/pkgsrc/packages/All/icinga2-<ver>.tgz # Refuse pkgin upgrades for this package by removing it from the upgrade plan: sudo pkgin -y avoid icinga2 2>/dev/null || true -
Roll
icinga2back to a known-good binary package:# 1. List versions available from the configured pkgin repo: pkgin search ^icinga2$ # 2. Force-install a specific .tgz from a saved build: sudo pkg_add -f /usr/pkgsrc/packages/All/icinga2-<older-version>.tgz # 3. Or point pkgin at the previous quarterly branch via /usr/pkg/etc/pkgin/repositories.conf -
Switch the pkgin repository between branches by editing
/usr/pkg/etc/pkgin/repositories.conf:# /usr/pkg/etc/pkgin/repositories.conf https://cdn.NetBSD.org/pub/pkgsrc/packages/NetBSD/$arch/$osrelease/All # Then: sudo pkgin update sudo pkgin upgrade icinga2 -
Build from source against a different pkgsrc branch (quarterly vs. HEAD):
cd /usr && sudo cvs -d :pserver:[email protected]:/cvsroot checkout -P pkgsrc cd /usr/pkgsrc/<category>/icinga2 && sudo make replace clean clean-depends -
Sandbox the affected service with stricter firewall rules until a fix is verified β
npf.confexample:# /etc/npf.conf block in on $ext_if proto tcp to port icinga2_port # Reload the ruleset: sudo npfctl reload sudo npfctl show -
Replace the service with a vendored static build for the interval between exposure detection and full rollout.
Verification & Acceptance Criteria
All of these should pass after the fix:
pkg_info icinga2 # shows the expected fixed version
sudo pkg_admin audit-pkg icinga2 # no audit hit for this package
sudo pkg_admin audit # no audit hits anywhere
tail -50 /var/log/messages # no new errors after upgrade
tail -50 /var/log/authlog # no auth anomalies
# If icinga2 ships an rc.d service, confirm it is running:
# sudo service <rc-script-name> status
# Verify base kernel integrity if the upgrade touched /netbsd:
cksum -a sha256 /netbsdThe original reproduction for icinga2 β multiple vulnerabilities (8 CVEs) β patch and remediation guide must not trigger across two consecutive runs.
Rollback Plan
Capture state before any change:
pkg_info -X > /root/pkg-pre.txt
cp -a /etc/rc.conf /etc/rc.conf.pre-patch
# Snapshot the root filesystem if you are on ZFS:
sudo zfs snapshot rpool/ROOT/netbsd@pre-icinga2-patch 2>/dev/null || trueTo revert if the upgrade is bad:
# Reinstall the previously saved binary package:
sudo pkg_add -f /usr/pkgsrc/packages/All/icinga2-<previous-version>.tgz
# Or roll back via pkgin if a previous version is still in the repo:
sudo pkgin install icinga2-<previous-version>
# Restore rc.conf if it was edited:
sudo cp /etc/rc.conf.pre-patch /etc/rc.conf
# Rollback ZFS snapshot (only if you took one above):
sudo zfs rollback rpool/ROOT/netbsd@pre-icinga2-patch 2>/dev/null || trueFor a base-system / kernel regression, boot the previous kernel from the loader prompt (press 5 at the boot menu, then boot netbsd.old).
Prevention & Hardening
Reduce the chance of this recurring on NetBSD 10.0 hosts running icinga2:
-
Schedule a daily pkgsrc audit via cron:
# /etc/daily.local pkg_admin fetch-pkg-vulnerabilities pkg_admin audit | mail -E -s 'pkgsrc audit' root -
Subscribe to
netbsd-announceandpkgsrc-securityat mail-index.NetBSD.org and watch the NetBSD Security Advisories index. -
Mirror pkgsrc binary packages locally so production hosts pull from a vetted feed:
# Bulk-build a private pkgsrc repo (one-time): cd /usr/pkgsrc/pkgtools/pbulk && sudo make install clean sudo pbulk-build -c /usr/pbulk/etc/pbulk.conf # Then publish /usr/pbulk/packages/ behind nginx or rsync. -
Keep
sysupgradeinstalled and dry-run it before scheduled windows:sudo pkgin install sysupgrade sudo sysupgrade -n auto https://nycdn.NetBSD.org/pub/NetBSD-daily/netbsd-10/latest/amd64/ -
Harden the firewall with
npfdefault-deny and reload after edits:# /etc/npf.conf $ext_if = "wm0" group default { block all pass in final on $ext_if proto tcp to port { ssh } pass out final all }sudo npfctl reload sudo npfctl start -
Monitor file integrity with the NetBSD-shipped
veriexecsubsystem or withmtree:# mtree baseline of critical config dirs: sudo mtree -c -K sha256digest -p /etc > /var/db/etc.mtree sudo mtree -c -K sha256digest -p /usr/pkg/etc > /var/db/usr-pkg-etc.mtree # Verify later: sudo mtree -p /etc < /var/db/etc.mtree # veriexec (kernel-enforced): sudo veriexecgen -o /etc/signatures sudo veriexecctl load /etc/signatures -
Verify NetBSD signed sets when applying base-system updates β the project publishes detached signatures alongside
base.tgzon nycdn.NetBSD.org:# Fetch set + signature, then verify before extracting: ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/netbsd-10/latest/amd64/binary/sets/base.tgz ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/netbsd-10/latest/amd64/binary/sets/SHA512 grep base.tgz SHA512 | cksum -a sha512 -c -
Related Errors & Cross-Refs
Issues that commonly surface alongside icinga2 β multiple vulnerabilities (8 CVEs) β patch and remediation guide: mismatched kern.osrelease after a partial userland upgrade, stale shared-library references after a pkgsrc replace, drifted npf rules, and out-of-date pkg-vulnerabilities feeds. Useful triage:
uname -a
sysctl kern.osrelease kern.osreldate
sudo pkg_admin audit
sudo npfctl showView all netbsd-10-0 tutorials on the Tutorials Hub →
Browse all common problems & solutions on the Tutorials Hub.
References & Further Reading
Primary reference: pkgsrc audit-packages entry. Useful manual pages on NetBSD 10.0:
man pkgin
man pkg_admin
man pkg_info
man rc.conf
man rc.d
man service
man npfctl
man npf.conf
man ipf
man sysupgrade
man veriexecOther resources: the NetBSD Guide, the NetBSD Security Advisories index, the pkgsrc Guide, and the per-package DESCR + MESSAGE files under /usr/pkgsrc/<category>/icinga2/ for notes implicated in icinga2 β multiple vulnerabilities (8 CVEs) β patch and remediation guide.
