Debian Bug report logs -
#737818
zabbix: CVE-2014-1682: API issue allows users to impersonate other users
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Christoph Haas <haas@debian.org>:
Bug#737818; Package src:zabbix.
(Thu, 06 Feb 2014 07:42:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Christoph Haas <haas@debian.org>.
(Thu, 06 Feb 2014 07:42:11 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: zabbix
Severity: grave
Tags: security upstream
Hi,
the following vulnerability was published for zabbix.
CVE-2014-1682[0]:
API issue allows users to impersonate other users
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1682
http://security-tracker.debian.org/tracker/CVE-2014-1682
[1] https://support.zabbix.com/browse/ZBX-7703
Could you check if Debian is affected and adjust the affected
versions?
Regards,
Salvatore
Added tag(s) pending.
Request was from Dmitry Smirnov <onlyjob@member.fsf.org>
to control@bugs.debian.org.
(Fri, 07 Feb 2014 14:24:12 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#737818.
(Fri, 07 Feb 2014 14:24:20 GMT) (full text, mbox, link).
Message #10 received at 737818-submitter@bugs.debian.org (full text, mbox, reply):
tag 737818 pending
--
We believe that the bug #737818 you reported has been fixed in the Git
repository. You can see the commit message below and/or inspect the
commit contents at:
http://anonscm.debian.org/gitweb/?p=collab-maint/zabbix.git;a=commitdiff;h=5585284
(This message was generated automatically by
'git-post-receive-tag-pending-commitmsg' hook).
---
commit 5585284 (HEAD, master)
Author: Dmitry Smirnov <onlyjob@member.fsf.org>
Date: Fri Feb 7 14:19:27 2014
New backported patch ZBX-7703 to fix CVE-2014-1682 (Closes: #737818)
Reply sent
to Dmitry Smirnov <onlyjob@debian.org>:
You have taken responsibility.
(Fri, 14 Feb 2014 09:24:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 14 Feb 2014 09:24:08 GMT) (full text, mbox, link).
Message #17 received at 737818-close@bugs.debian.org (full text, mbox, reply):
Source: zabbix
Source-Version: 1:2.2.2+dfsg-1
We believe that the bug you reported is fixed in the latest version of
zabbix, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 737818@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dmitry Smirnov <onlyjob@debian.org> (supplier of updated zabbix package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 13 Feb 2014 21:57:26 +1100
Source: zabbix
Binary: zabbix-agent zabbix-frontend-php zabbix-java-gateway zabbix-proxy-mysql zabbix-proxy-pgsql zabbix-proxy-sqlite3 zabbix-server-mysql zabbix-server-pgsql
Architecture: source amd64 all
Version: 1:2.2.2+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Christoph Haas <haas@debian.org>
Changed-By: Dmitry Smirnov <onlyjob@debian.org>
Description:
zabbix-agent - network monitoring solution - agent
zabbix-frontend-php - network monitoring solution - PHP front-end
zabbix-java-gateway - network monitoring solution - Java gateway
zabbix-proxy-mysql - network monitoring solution - proxy (using MySQL)
zabbix-proxy-pgsql - network monitoring solution - proxy (using PostgreSQL)
zabbix-proxy-sqlite3 - network monitoring solution - proxy (using SQLite3)
zabbix-server-mysql - network monitoring solution - server (using MySQL)
zabbix-server-pgsql - network monitoring solution - server (using PostgreSQL)
Closes: 737818
Changes:
zabbix (1:2.2.2+dfsg-1) unstable; urgency=high
.
* New upstream release [February 2014].
+ CVE-2014-1682 (ZBX-7703) fixed vulnerability allowing to impersonate
other users without proper credentials when using HTTP authentication
(Closes: #737818).
+ CVE-2013-5572 (ZBX-6721) fixed LDAP authentication.
+ CVE-2014-1685 (ZBX-7693) restrict admin's ability to update media
for other users.
* Dropped "build_modernise-automake.patch" (applied-upstream).
Checksums-Sha1:
a0d418d63a3f791e09248dfa840825964427de7c 2651 zabbix_2.2.2+dfsg-1.dsc
bbbf83c47aac59c209d85c9ebe6640bbcedfbd80 5814720 zabbix_2.2.2+dfsg.orig.tar.xz
12cf75f0d6d4b14df4576f6353144ee107425c41 35976 zabbix_2.2.2+dfsg-1.debian.tar.xz
7409f171087b320a2c77e297d7f00a709851985c 303580 zabbix-agent_2.2.2+dfsg-1_amd64.deb
149f0d8f80c6bcaff013042d34ca183c265c88fb 2751922 zabbix-frontend-php_2.2.2+dfsg-1_all.deb
38e10df25778ef173f328bb4b0c92f9c7f901120 175780 zabbix-java-gateway_2.2.2+dfsg-1_all.deb
00e8f20bcbb43d703c20f27a219021c6ccad67a5 534642 zabbix-proxy-mysql_2.2.2+dfsg-1_amd64.deb
7662bbd67d6bab0d4bdf63e8c60d5cb2e2f95f2d 537102 zabbix-proxy-pgsql_2.2.2+dfsg-1_amd64.deb
047fe89b2d4eb6474fa94bb1a5e55b56500baa31 521964 zabbix-proxy-sqlite3_2.2.2+dfsg-1_amd64.deb
f56cc192e0b906ed2f19a1e02b692deb3f5c53df 1711508 zabbix-server-mysql_2.2.2+dfsg-1_amd64.deb
d36d27b57fd3fb0370504f4b53a04667bcf03629 1713362 zabbix-server-pgsql_2.2.2+dfsg-1_amd64.deb
Checksums-Sha256:
7674a406a6324c028cbcefe316ebaf1447c8b1fda0336adbc2afe69cc382c1e4 2651 zabbix_2.2.2+dfsg-1.dsc
3e2d21d020b0659d2ac529c0d38b9942f55ef7ab64a49f21c1e1ada03b2592a0 5814720 zabbix_2.2.2+dfsg.orig.tar.xz
d9b9ad39b68f77335b786124d5b05eb4714349b8d36e9607614f6bf17c06d9b7 35976 zabbix_2.2.2+dfsg-1.debian.tar.xz
f5a916ca19e45f14c3cdee46c3b5e9e6d2a35652dfc49d87e89bf403cca92d48 303580 zabbix-agent_2.2.2+dfsg-1_amd64.deb
6d15dc2e351176f81e5a25ad0905120a6a0d0bac1efd8f7c7dbc8194de7182ea 2751922 zabbix-frontend-php_2.2.2+dfsg-1_all.deb
6bfeb3b8d39af77f825ac71268813d06044ccf9e5b02876dc9bcbc9146597d4c 175780 zabbix-java-gateway_2.2.2+dfsg-1_all.deb
3bedcfb9c6d65dcc08ce07470ce17bab3ffeae1314641d42039cd4a929a7ff11 534642 zabbix-proxy-mysql_2.2.2+dfsg-1_amd64.deb
3c014607fe6372975bc88ba6af472cae9ab829af56b7afb1deedb2abd66e9c45 537102 zabbix-proxy-pgsql_2.2.2+dfsg-1_amd64.deb
bb26022de5aa3782f8efe7f2e3db738cbd27bcfd1cd20e565c65b26656c52c5f 521964 zabbix-proxy-sqlite3_2.2.2+dfsg-1_amd64.deb
d1b47e18dc582d450307778b534ee93517a02e0660f79391531bbdee864c483d 1711508 zabbix-server-mysql_2.2.2+dfsg-1_amd64.deb
2e37325f8113c50ad40838d02cbb40a606fe67580be13bf1a2cde1c20e839dd8 1713362 zabbix-server-pgsql_2.2.2+dfsg-1_amd64.deb
Files:
5726df472b0e3d73c3e4311c79de6739 2651 net optional zabbix_2.2.2+dfsg-1.dsc
be970c6bfb9e4c916428df8ee152098d 5814720 net optional zabbix_2.2.2+dfsg.orig.tar.xz
c2cadd77c6d7137ea5abb530e744b72d 35976 net optional zabbix_2.2.2+dfsg-1.debian.tar.xz
43b5c24663ffcaea0148f2febfd47def 303580 net optional zabbix-agent_2.2.2+dfsg-1_amd64.deb
f91f0fe8cf223dc038ebc49767e4f858 2751922 net optional zabbix-frontend-php_2.2.2+dfsg-1_all.deb
3d0fcb86042a1cf1cb966507e071a05c 175780 net optional zabbix-java-gateway_2.2.2+dfsg-1_all.deb
5ad388daebe7280184675ad530f20309 534642 net optional zabbix-proxy-mysql_2.2.2+dfsg-1_amd64.deb
5056dcab58728e7fc4fb225284b19946 537102 net optional zabbix-proxy-pgsql_2.2.2+dfsg-1_amd64.deb
36b6b77ce8f3eea71aa5a7f8012fcf43 521964 net optional zabbix-proxy-sqlite3_2.2.2+dfsg-1_amd64.deb
2354036c36bd90361ad2e7ff261ceb3f 1711508 net optional zabbix-server-mysql_2.2.2+dfsg-1_amd64.deb
f21daf172e21e56b65f8f256bc66bd40 1713362 net optional zabbix-server-pgsql_2.2.2+dfsg-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJS/KdcAAoJEFK2u9lTlo0b8CAP/RoOm4phjhtCJlHkjYqZk5IY
MYeuI5DxCK52r6dTHkBTvIpXU+dOx6R+yBRxBu1yHYb9ujgjahj8wg37tKZdTzlO
QIEugB8aHZKVPpaI10USq+tDi4QkpF+iLWqH25hIZswxzbKd7snxkVmOKieefl+9
/9xCDvwvys5VUwf5O0YfpRchSkglnKTO/T61tt7yImMkePTnx8mm0iVnTzTI8Dbo
u3cmmgExdmBDhr956D/fdUzTCUvagcI7VgnR6KxfngO/vqEgpGI5im2VkyUFSWj0
NqABpSFkCykEzG6dQl2c2cRvdu2Up57fUDE/NYmW77XPE3K5XhPLivayQq/AyO66
qAHCRC//+M91U5tgZp+kkQTRfWPZPMucVlt83YWzm8/VV9zkv0gvB7N52SYQ1D36
Q+sxKYgkj5JcoZhS7wVxx3fbw6EmlY9l4PxESt9QT2XRPhDej5bThysmi0wSeStz
IT45JSL36iGZLINJLrk6sadFIWwjXxLvlMJ8F8sWdz4YeouNiNEA5j62WQtdUNzc
KIsMK9N3AzbtyypeaWDnrfm121tG7TFXcQfZ9CwsLaBcIScsOe1u9SSHXtLv87lw
PIv+spcxfTWsch0n5UqT8yQ7kJq86LU8DsvTmu4mL3SnJF2pCLWIZ0itv5UzKftb
aCxm7kPt4/lDK+8U8eTe
=oNrl
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 15 Mar 2014 07:28:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:19:52 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon