Debian Bug report logs -
#850936
zabbix: CVE-2016-10134: SQL injection vulnerabilities in Latest data
Reported by: Ivan <ivan@ivanbayan.com>
Date: Wed, 11 Jan 2017 11:15:04 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Merged with 850939
Found in versions zabbix/1:2.2.7+dfsg-2+deb8u1, zabbix/1:2.2.7+dfsg-2, zabbix/1:2.2.7+dfsg-1
Fixed in versions zabbix/1:3.0.4+dfsg-1, zabbix/1:2.2.7+dfsg-2+deb8u2
Done: Moritz Mühlenhoff <jmm@debian.org>
Bug is archived. No further changes may be made.
Forwarded to https://support.zabbix.com/browse/ZBX-11023
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Dmitry Smirnov <onlyjob@debian.org>:
Bug#850936; Package zabbix-frontend-php.
(Wed, 11 Jan 2017 11:15:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Ivan <ivan@ivanbayan.com>:
New Bug report received and forwarded. Copy sent to Dmitry Smirnov <onlyjob@debian.org>.
(Wed, 11 Jan 2017 11:15:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: zabbix-frontend-php
Version: 1:2.2.7+dfsg-2+deb8u1
Severity: grave
Tags: security
Justification: user security hole
Dear Maintainer,
Bug in zabbix (ZBX-11023 SQL injection vulnerabilities in "Latest data")
allow to execute code on remote system. It's not a duplicate of Debian
bug "#842702 zabbix: CVE-2016-9140: API JSON-RPC remote code execution"
ZBX-11023 allows to execute code even for guest user.
I had zabbix available from web with enabled guest user. During
investigation i found requests from sqlmap software in apache log, new
scripts was configured via zabbix web interface by Admin user (password
was untouched and hard to guess), many malicious scripts in /tmp and
few spam sending processes.
-- System Information:
Debian Release: 8.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/16 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages zabbix-frontend-php depends on:
ii apache2 [httpd] 2.4.10-10+deb8u7
ii php5 5.6.29+dfsg-0+deb8u1
ii php5-gd 5.6.29+dfsg-0+deb8u1
ii php5-mysql 5.6.29+dfsg-0+deb8u1
ii php5-pgsql 5.6.29+dfsg-0+deb8u1
ii ttf-dejavu-core 2.34-1
ii ucf 3.0030
Versions of packages zabbix-frontend-php recommends:
ii php5-ldap 5.6.29+dfsg-0+deb8u1
Versions of packages zabbix-frontend-php suggests:
ii libapache2-mod-php5 5.6.29+dfsg-0+deb8u1
-- no debconf information
-- debsums errors found:
debsums: changed file
/usr/share/doc/zabbix-frontend-php/examples/apache.conf (from
zabbix-frontend-php package)
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 11 Jan 2017 11:45:12 GMT) (full text, mbox, link).
Notification sent
to Ivan <ivan@ivanbayan.com>:
Bug acknowledged by developer.
(Wed, 11 Jan 2017 11:45:13 GMT) (full text, mbox, link).
Marked as fixed in versions zabbix/1:3.0.4+dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 11 Jan 2017 11:45:13 GMT) (full text, mbox, link).
Marked as found in versions zabbix/1:2.2.7+dfsg-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 11 Jan 2017 11:45:14 GMT) (full text, mbox, link).
Added tag(s) upstream and fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 11 Jan 2017 11:45:14 GMT) (full text, mbox, link).
Merged 850936 850939
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 11 Jan 2017 11:45:15 GMT) (full text, mbox, link).
Marked as found in versions zabbix/1:2.2.7+dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 11 Jan 2017 13:00:07 GMT) (full text, mbox, link).
Changed Bug title to 'zabbix: CVE-2016-10134: SQL injection vulnerabilities in Latest data' from 'zabbix: sql injection, remote code execution, privileges escalation'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 13 Jan 2017 05:30:03 GMT) (full text, mbox, link).
Reply sent
to Moritz Mühlenhoff <jmm@debian.org>:
You have taken responsibility.
(Thu, 09 Mar 2017 23:24:03 GMT) (full text, mbox, link).
Notification sent
to Ivan <ivan@ivanbayan.com>:
Bug acknowledged by developer.
(Thu, 09 Mar 2017 23:24:03 GMT) (full text, mbox, link).
Message #28 received at 850936-close@bugs.debian.org (full text, mbox, reply):
Source: zabbix
Source-Version: 1:2.2.7+dfsg-2+deb8u2
We believe that the bug you reported is fixed in the latest version of
zabbix, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 850936@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Mühlenhoff <jmm@debian.org> (supplier of updated zabbix package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 03 Feb 2017 00:17:26 +0100
Source: zabbix
Binary: zabbix-agent zabbix-frontend-php zabbix-java-gateway zabbix-proxy-mysql zabbix-proxy-pgsql zabbix-proxy-sqlite3 zabbix-server-mysql zabbix-server-pgsql
Architecture: source amd64 all
Version: 1:2.2.7+dfsg-2+deb8u2
Distribution: jessie-security
Urgency: medium
Maintainer: Christoph Haas <haas@debian.org>
Changed-By: Moritz Mühlenhoff <jmm@debian.org>
Description:
zabbix-agent - network monitoring solution - agent
zabbix-frontend-php - network monitoring solution - PHP front-end
zabbix-java-gateway - network monitoring solution - Java gateway
zabbix-proxy-mysql - network monitoring solution - proxy (using MySQL)
zabbix-proxy-pgsql - network monitoring solution - proxy (using PostgreSQL)
zabbix-proxy-sqlite3 - network monitoring solution - proxy (using SQLite3)
zabbix-server-mysql - network monitoring solution - server (using MySQL)
zabbix-server-pgsql - network monitoring solution - server (using PostgreSQL)
Closes: 850936
Changes:
zabbix (1:2.2.7+dfsg-2+deb8u2) jessie-security; urgency=medium
.
* CVE-2016-10134 (Closes: #850936)
Checksums-Sha1:
a0c0f6c5cd8bc68d846bcbcb7db36331087312f6 2794 zabbix_2.2.7+dfsg-2+deb8u2.dsc
14426c8336d6461fa87cddb8bbf93fca5aa8bff9 5905712 zabbix_2.2.7+dfsg.orig.tar.xz
f128aa92ee405e4ce961173d1085caeba1d20155 190456 zabbix_2.2.7+dfsg-2+deb8u2.debian.tar.xz
9b02d56c663b481c4fdd57fb79adaa28a94b56c0 319130 zabbix-agent_2.2.7+dfsg-2+deb8u2_amd64.deb
9e8a4892f865ac44d7a9113d9ed775d9dc0dceb3 2921956 zabbix-frontend-php_2.2.7+dfsg-2+deb8u2_all.deb
1fd3020d244f584553de962f5c87708190aded93 188224 zabbix-java-gateway_2.2.7+dfsg-2+deb8u2_all.deb
332589c49f9f73db6e0d01472e4586f49eec7911 560736 zabbix-proxy-mysql_2.2.7+dfsg-2+deb8u2_amd64.deb
43ce56a83de7c6dc84d9fef84f1e5ff842ea83d9 563378 zabbix-proxy-pgsql_2.2.7+dfsg-2+deb8u2_amd64.deb
e3ebfb3c5e389e6483916b21c752b8c559ede52d 546370 zabbix-proxy-sqlite3_2.2.7+dfsg-2+deb8u2_amd64.deb
1cb42c8350bba023c87860c40251e16186b9c192 1737350 zabbix-server-mysql_2.2.7+dfsg-2+deb8u2_amd64.deb
b583e389395f7c1bf0ad8ded938efbfcb328c9d1 1739500 zabbix-server-pgsql_2.2.7+dfsg-2+deb8u2_amd64.deb
Checksums-Sha256:
23d885b3b2df783728c2ed789c82f6b8ec6ecb8603ea51683312d3d100ba4b8e 2794 zabbix_2.2.7+dfsg-2+deb8u2.dsc
922b2f12d3145ed4c0c0dc14cdce07a4cd959cb4d5801690f7017c116258ec7b 5905712 zabbix_2.2.7+dfsg.orig.tar.xz
ab10374d4c6a2fe217b0bf20d62b031c77f1193dd31d7755a6755eb7041b53ea 190456 zabbix_2.2.7+dfsg-2+deb8u2.debian.tar.xz
9eabea66d067dad9030538ce918e078bddfa815b6d2b75a79830ad14c6eb9f0c 319130 zabbix-agent_2.2.7+dfsg-2+deb8u2_amd64.deb
af6b4f676d79abefc23f3c86c222cdf16991042e800310886884397e56f72bcd 2921956 zabbix-frontend-php_2.2.7+dfsg-2+deb8u2_all.deb
5832cfadd87507b68001b0e988887a12ee1bf37701e1b15ddd2cceb4490ff8e3 188224 zabbix-java-gateway_2.2.7+dfsg-2+deb8u2_all.deb
5ec47187a1e682be7827b145a0d620a6f38ddae9c79160dc32e668c2339c82fd 560736 zabbix-proxy-mysql_2.2.7+dfsg-2+deb8u2_amd64.deb
e4ca76313fd2922806473ec324414021d38e4c6864cfc94cb991cd2d35d86866 563378 zabbix-proxy-pgsql_2.2.7+dfsg-2+deb8u2_amd64.deb
0a33e878fcbe8dcb7c06fe7316c5b2a6ad72f062646e4990e291e6036899228c 546370 zabbix-proxy-sqlite3_2.2.7+dfsg-2+deb8u2_amd64.deb
e7b50a3ab7a2c0e7f944248dd4675744cc4a05ff0eb30cd8f25c119bff483fee 1737350 zabbix-server-mysql_2.2.7+dfsg-2+deb8u2_amd64.deb
0e601656739833bdbfb5af91fb3bc3f18cfed8a0a7f6f203d75ff631d4488aca 1739500 zabbix-server-pgsql_2.2.7+dfsg-2+deb8u2_amd64.deb
Files:
fcfb8e956a9fa5075ee47f63e9fcb5f4 2794 net optional zabbix_2.2.7+dfsg-2+deb8u2.dsc
53fcafa41d157467d8646525504722b2 5905712 net optional zabbix_2.2.7+dfsg.orig.tar.xz
5af49593bbff493fa12836311e8b5ee6 190456 net optional zabbix_2.2.7+dfsg-2+deb8u2.debian.tar.xz
84f79eba49f8fe40337c74a6d437c1e4 319130 net optional zabbix-agent_2.2.7+dfsg-2+deb8u2_amd64.deb
60b3f5be1baeccaa89d9bd52ea83e0f6 2921956 net optional zabbix-frontend-php_2.2.7+dfsg-2+deb8u2_all.deb
063c86b6c2841b7638181f234a942836 188224 net optional zabbix-java-gateway_2.2.7+dfsg-2+deb8u2_all.deb
516a65e86b6552235b640542a10b76bd 560736 net optional zabbix-proxy-mysql_2.2.7+dfsg-2+deb8u2_amd64.deb
b7b023f80fd0ccb7af294b7f276a99eb 563378 net optional zabbix-proxy-pgsql_2.2.7+dfsg-2+deb8u2_amd64.deb
6673af071184a56753ff1e9ea66aeb7b 546370 net optional zabbix-proxy-sqlite3_2.2.7+dfsg-2+deb8u2_amd64.deb
61959f68893d95b96f4e52e322ed2e51 1737350 net optional zabbix-server-mysql_2.2.7+dfsg-2+deb8u2_amd64.deb
f22b7ee5edb4dea37ca330804ac9ca67 1739500 net optional zabbix-server-pgsql_2.2.7+dfsg-2+deb8u2_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAliUr9oACgkQEMKTtsN8
TjZUGRAAhXstc8JU9noDteDYFbz9c6KjjGLQLyB5bs1cERbYeYXPImfTKy0saNjX
yigfgxGw6JU3gr7f43y1mvh4ENkqkmQRCM6TaGmrTKnEFXxZABsVBRzFpNPYl4pF
hf/fvJeLJ5kRu1G7+G4bayhTPbEfIDBQYijNcdT9iiKORJLB8+2taHEjPa9Wt1U0
6zJeeYtkPlR6wndz0ERBgFxP1+pu+3gYId59jbBxkGIJ0c66DEpFLdbSB5JVndnd
5gE1wC9uzhjD9WpLi8Y09HfrZ+VlNdQfl50ZGg9IvSYIBgVcStrKirMbZvPgOJB0
vdw5ZMhhPBg0iInDvaTlca2usd2exPqDiEUiEoUTd5e3pkzzfHmUJGV3cKeSH8rq
zkNt/+VZLJIB22xmVOP8QDfPBWYydumM83idSOBTcDzWJWTZQ5s4rz6L0+shjWBd
e9KUSD7qwP3QvKZPfZ0dS3etzaV+8bS4j+C+0V3se5+dTwyd4VOC6DBUkTfRl2gA
bd3NhVClnH9ABnh/mskKgXlfG2msp0cdO5nl6Zkm2JitLwfHMAF33P2ahDUHYF1P
n/gDSWEyQs9OwDJQIouNxl3TOWyGHLLJ+1y+W0yJVW5/LuZmhJjv02gzfk+80Bu4
2EeJ9dnu61OYBCAKn3PI1OrfF4hYfwLY3DzvyiCHbCdP+18r5C0=
=0/FV
-----END PGP SIGNATURE-----
Reply sent
to Moritz Mühlenhoff <jmm@debian.org>:
You have taken responsibility.
(Thu, 09 Mar 2017 23:24:04 GMT) (full text, mbox, link).
Notification sent
to IvanBayan <ivan@ivanbayan.com>:
Bug acknowledged by developer.
(Thu, 09 Mar 2017 23:24:04 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 07 May 2017 07:27:57 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:43:06 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon