Debian Bug report logs -
#652664
CVE-2011-4615
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Mon, 19 Dec 2011 17:18:08 UTC
Severity: grave
Tags: security
Fixed in version zabbix/1:1.8.10-1
Done: Christoph Haas <haas@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Christoph Haas <haas@debian.org>
:
Bug#652664
; Package src:zabbix
.
(Mon, 19 Dec 2011 17:18:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Christoph Haas <haas@debian.org>
.
(Mon, 19 Dec 2011 17:18:11 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: zabbix
Severity: grave
Tags: security
Hi,
a new Zabbix issue was reported. This is CVE-2011-4615:
http://www.zabbix.com/rn1.8.10rc1.php
https://support.zabbix.com/browse/ZBX-4015
https://bugzilla.redhat.com/show_bug.cgi?id=768525
Any update on the security update we discussed a few weeks ago?
Cheers,
Moritz
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.1.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#652664
; Package src:zabbix
.
(Mon, 19 Dec 2011 21:27:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Christoph Haas <haas@debian.org>
:
Extra info received and forwarded to list.
(Mon, 19 Dec 2011 21:27:12 GMT) (full text, mbox, link).
Message #10 received at 652664@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sorry for the missing reaction. I'm still alive and currently figuring
out a minimal patch for the reported security issues. Expect a fresh
upload to unstable and a patch for the Squeeze version. Whether a patch
for Lenny can be created is currently being discussed.
?Christoph
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk7vqXoACgkQCV53xXnMZYZKDACeOnkYL6SCcAPpMlXo1tVDgrBi
ifwAmwd5sMF2+T9NZ8Br+pFO6gj8SLYJ
=JTdF
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#652664
; Package src:zabbix
.
(Tue, 20 Dec 2011 00:18:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Christoph Haas <haas@debian.org>
:
Extra info received and forwarded to list.
(Tue, 20 Dec 2011 00:18:08 GMT) (full text, mbox, link).
Message #15 received at 652664@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://security-tracker.debian.org/tracker/CVE-2011-2904
I have extracted a patch using
svn diff -r r20742:r20789 frontends/php/acknow.php
from the upstream sources.
http://security-tracker.debian.org/tracker/CVE-2011-3263
I have extracted a patch using
svn diff -r r19527:r19561
from the upstream sources.
http://security-tracker.debian.org/tracker/CVE-2011-3265
I could not determine a proper minimal patch and am waiting for the
upstream developers' support. This issue was fixed in 1.8.6 and thus
does not affect "sid".
http://security-tracker.debian.org/tracker/CVE-2011-4674
I could not determine a proper minimal patch and am waiting for the
upstream developers' support. This issue was fixed in 1.8.4 and does not
affect "sid".
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652664
https://support.zabbix.com/browse/ZBX-4015
I could not determine a proper minimal patch and am waiting for the
upstream developers' support. For "sid" we can wait for 1.8.10 to have
the issue fixed.
Would you like to get a minimal patch for the first two issues already?
Or rather wait for the upstream response of the remaining three issues?
…Christoph
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk7v06MACgkQCV53xXnMZYYEswCeLVcpQgUQSdQ/kO7fbzCCtpQj
ptsAnR7eMir+gwkFatxELJf+yrApsG7y
=y1Yg
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Christoph Haas <haas@debian.org>
:
Bug#652664
; Package src:zabbix
.
(Mon, 26 Dec 2011 11:57:20 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Christoph Haas <haas@debian.org>
.
(Mon, 26 Dec 2011 11:57:25 GMT) (full text, mbox, link).
Message #20 received at 652664@bugs.debian.org (full text, mbox, reply):
On Tue, Dec 20, 2011 at 01:15:32AM +0100, Christoph Haas wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> http://security-tracker.debian.org/tracker/CVE-2011-2904
> I have extracted a patch using
> svn diff -r r20742:r20789 frontends/php/acknow.php
> from the upstream sources.
>
> http://security-tracker.debian.org/tracker/CVE-2011-3263
> I have extracted a patch using
> svn diff -r r19527:r19561
> from the upstream sources.
>
> http://security-tracker.debian.org/tracker/CVE-2011-3265
> I could not determine a proper minimal patch and am waiting for the
> upstream developers' support. This issue was fixed in 1.8.6 and thus
> does not affect "sid".
>
> http://security-tracker.debian.org/tracker/CVE-2011-4674
> I could not determine a proper minimal patch and am waiting for the
> upstream developers' support. This issue was fixed in 1.8.4 and does not
> affect "sid".
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652664
> https://support.zabbix.com/browse/ZBX-4015
> I could not determine a proper minimal patch and am waiting for the
> upstream developers' support. For "sid" we can wait for 1.8.10 to have
> the issue fixed.
>
> Would you like to get a minimal patch for the first two issues already?
> Or rather wait for the upstream response of the remaining three issues?
Let's rather wait until we have a complete patch set.
Thanks,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Christoph Haas <haas@debian.org>
:
Bug#652664
; Package src:zabbix
.
(Sun, 01 Jan 2012 23:00:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Thijs Kinkhorst <thijs@debian.org>
:
Extra info received and forwarded to list. Copy sent to Christoph Haas <haas@debian.org>
.
(Sun, 01 Jan 2012 23:00:04 GMT) (full text, mbox, link).
Message #25 received at 652664@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
There's now also CVE-2011-5027:
Cross-site scripting (XSS) vulnerability in ZABBIX before 1.8.10 allows remote
attackers to inject arbitrary web script or HTML via unspecified vectors
related to the profiler.
This should also be folded into the updates.
Thijs
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#652664
; Package src:zabbix
.
(Thu, 05 Jan 2012 21:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Christoph Haas <haas@debian.org>
:
Extra info received and forwarded to list.
(Thu, 05 Jan 2012 21:57:03 GMT) (full text, mbox, link).
Message #30 received at 652664@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I have talked to my contact at the upstream company. He is bugging the
developers to help backport the security fix. No reply yet.
…Christoph
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8GHB4ACgkQCV53xXnMZYa8hACgi/txpimWJE/SLH323/8X8SQq
FTQAoI3rb1Q63IXz+69G+8J3HdcuhQu/
=EWFy
-----END PGP SIGNATURE-----
Reply sent
to Christoph Haas <haas@debian.org>
:
You have taken responsibility.
(Fri, 27 Jan 2012 23:09:10 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>
:
Bug acknowledged by developer.
(Fri, 27 Jan 2012 23:09:10 GMT) (full text, mbox, link).
Message #35 received at 652664-close@bugs.debian.org (full text, mbox, reply):
Source: zabbix
Source-Version: 1:1.8.10-1
We believe that the bug you reported is fixed in the latest version of
zabbix, which is due to be installed in the Debian FTP archive:
zabbix-agent_1.8.10-1_amd64.deb
to main/z/zabbix/zabbix-agent_1.8.10-1_amd64.deb
zabbix-frontend-php_1.8.10-1_all.deb
to main/z/zabbix/zabbix-frontend-php_1.8.10-1_all.deb
zabbix-proxy-mysql_1.8.10-1_amd64.deb
to main/z/zabbix/zabbix-proxy-mysql_1.8.10-1_amd64.deb
zabbix-proxy-pgsql_1.8.10-1_amd64.deb
to main/z/zabbix/zabbix-proxy-pgsql_1.8.10-1_amd64.deb
zabbix-proxy-sqlite3_1.8.10-1_amd64.deb
to main/z/zabbix/zabbix-proxy-sqlite3_1.8.10-1_amd64.deb
zabbix-server-mysql_1.8.10-1_amd64.deb
to main/z/zabbix/zabbix-server-mysql_1.8.10-1_amd64.deb
zabbix-server-pgsql_1.8.10-1_amd64.deb
to main/z/zabbix/zabbix-server-pgsql_1.8.10-1_amd64.deb
zabbix_1.8.10-1.debian.tar.gz
to main/z/zabbix/zabbix_1.8.10-1.debian.tar.gz
zabbix_1.8.10-1.dsc
to main/z/zabbix/zabbix_1.8.10-1.dsc
zabbix_1.8.10.orig.tar.gz
to main/z/zabbix/zabbix_1.8.10.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 652664@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christoph Haas <haas@debian.org> (supplier of updated zabbix package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 02 Jan 2012 23:00:43 +0100
Source: zabbix
Binary: zabbix-agent zabbix-server-mysql zabbix-server-pgsql zabbix-frontend-php zabbix-proxy-pgsql zabbix-proxy-mysql zabbix-proxy-sqlite3
Architecture: source amd64 all
Version: 1:1.8.10-1
Distribution: unstable
Urgency: low
Maintainer: Christoph Haas <haas@debian.org>
Changed-By: Christoph Haas <haas@debian.org>
Description:
zabbix-agent - network monitoring solution - agent
zabbix-frontend-php - network monitoring solution - PHP front-end
zabbix-proxy-mysql - network monitoring solution - proxy (using MySQL)
zabbix-proxy-pgsql - network monitoring solution - proxy (using PostgreSQL)
zabbix-proxy-sqlite3 - network monitoring solution - proxy (using SQLite3)
zabbix-server-mysql - network monitoring solution - server (using MySQL)
zabbix-server-pgsql - network monitoring solution - server (using PostgreSQL)
Closes: 647458 652664 652723 652880 652923 653210 655488 656774 657193
Changes:
zabbix (1:1.8.10-1) unstable; urgency=low
.
* New upstream release (resolves security bug
CVE-2011-5027 mentioned in #652664).
* Fixed typo in synopsis (closes: #652723)
* Updated pt_BR.po template (closes: #652880)
* Updated pt.po template (closes: #652923)
* Updated ru.po template (closes: #653210)
* Fixed FTBFS (closes: #655488)
* Checking more thoroughly for an installed Apache in
zabbix-frontend-php.postinst to make sure the script does not fail if
other 'httpd' than Apache are installed (closes: #647458)
* Fixed XSS security issue (closes: #657193)
* Fixed XSS security issue (closes: #652664)
* Enabled hardened build flags (closes: #656774)
Checksums-Sha1:
7b696eef0e77a7a134a0e6c7956f546448079171 1854 zabbix_1.8.10-1.dsc
3d36413b9bd04da66775e9255243242d205a7e9c 4217417 zabbix_1.8.10.orig.tar.gz
68465005deb16ab85c6bf6008ff2e595f8587cb3 51673 zabbix_1.8.10-1.debian.tar.gz
cf30f4d6c20445baae5f7f15cda66f4f91b02a61 310866 zabbix-agent_1.8.10-1_amd64.deb
e00655434050b9099d709b79fbbade59e3488fca 697644 zabbix-server-mysql_1.8.10-1_amd64.deb
1cc5cb14b714d152e16212d9fa2f2afdf70ac4bd 700922 zabbix-server-pgsql_1.8.10-1_amd64.deb
0a204396a02437c0b2828f87f0fe62ccb9ab00cb 377846 zabbix-proxy-pgsql_1.8.10-1_amd64.deb
ec50f3ca191ca77147ea2e2ac4ccef8f822b992b 376220 zabbix-proxy-mysql_1.8.10-1_amd64.deb
04a12b9ac006f53223da9edec56094d9c8c5ef1c 503884 zabbix-proxy-sqlite3_1.8.10-1_amd64.deb
b06a6652339f7558984cf5c6708907875eeb73b9 1961078 zabbix-frontend-php_1.8.10-1_all.deb
Checksums-Sha256:
4e7a8337442be954338d62e4853eb0628c4f88ebf765e7549ebb643b2d511672 1854 zabbix_1.8.10-1.dsc
d965d23f2ce8c7ddee7a1532863a208fae28958e3fc0871e0229ffa06f88a54b 4217417 zabbix_1.8.10.orig.tar.gz
cafff9b2ae06ae9b9166b62f3107b0df04ce03f8d8c02fed360e89d00a9e29d1 51673 zabbix_1.8.10-1.debian.tar.gz
774537f29aee079776830d80698544a2bb615ff6cde5a6ecad9142ead670f6f4 310866 zabbix-agent_1.8.10-1_amd64.deb
00b93146e5b6f28b92587597747fa34c86f46bb52dbc57c7019ec8c76895d1de 697644 zabbix-server-mysql_1.8.10-1_amd64.deb
40c2536265fc0d57c2c0e591b55a89b6293e175f8c4f672ff66b3105d38d9214 700922 zabbix-server-pgsql_1.8.10-1_amd64.deb
af18e5f66d32be33e78a7dbfb8571857ed2e4dfb92bba6da8b2be19e1a938ed7 377846 zabbix-proxy-pgsql_1.8.10-1_amd64.deb
c5e7326fd006e993f90f58fd44864eeea796bba912ec59924c80fec5bffd3018 376220 zabbix-proxy-mysql_1.8.10-1_amd64.deb
8a142953319e0945aa13d1b1b9c6876180efb38832112d611443c47f24eb6d42 503884 zabbix-proxy-sqlite3_1.8.10-1_amd64.deb
7a1d77e985284582a601f6c2ea5d937a7712c16207d0a931f3a79f34dc8f7627 1961078 zabbix-frontend-php_1.8.10-1_all.deb
Files:
bf3932a3d047a197af7f68500b2d39f1 1854 net optional zabbix_1.8.10-1.dsc
7e89f80c1822787c0831f7c0dbefcd7b 4217417 net optional zabbix_1.8.10.orig.tar.gz
9d2b919dcd3c6f39b91d4981951dfa1e 51673 net optional zabbix_1.8.10-1.debian.tar.gz
fb34181490b9fa8476d4827ccfe543a8 310866 net optional zabbix-agent_1.8.10-1_amd64.deb
6865e5e7a5708fdaeb416e8cb50bc760 697644 net optional zabbix-server-mysql_1.8.10-1_amd64.deb
23460d25f5c94cb234469c272f088738 700922 net optional zabbix-server-pgsql_1.8.10-1_amd64.deb
975585d56b485654d958cc59552396e0 377846 net optional zabbix-proxy-pgsql_1.8.10-1_amd64.deb
01b73477fcd2ae8401f37269d845c728 376220 net optional zabbix-proxy-mysql_1.8.10-1_amd64.deb
3d6c62bba0282c9d3d6a3967c5c127fd 503884 net optional zabbix-proxy-sqlite3_1.8.10-1_amd64.deb
8644d843695421d249ecfebb0bdfedb9 1961078 net optional zabbix-frontend-php_1.8.10-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk8jKGYACgkQCV53xXnMZYYe6QCgskawaFZEwVcnpOn7WNuxkluw
vY8AoKVrLa2NP0gfvvQvGuuj3U4xJcwi
=06sN
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sat, 25 Feb 2012 07:39:34 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:56:09 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.