Debian Bug report logs -
#577058
CVE-2010-1277: SQL injection vulnerability
Reported by: Giuseppe Iuculano <iuculano@debian.org>
Date: Fri, 9 Apr 2010 09:33:05 UTC
Severity: grave
Tags: security
Fixed in version zabbix/1:1.8.2-1
Done: Christoph Haas <haas@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Christoph Haas <haas@debian.org>:
Bug#577058; Package zabbix.
(Fri, 09 Apr 2010 09:33:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <iuculano@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Christoph Haas <haas@debian.org>.
(Fri, 09 Apr 2010 09:33:08 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: zabbix
Severity: grave
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for zabbix.
CVE-2010-1277[0]:
| SQL injection vulnerability in the user.authenticate method in the API
| in Zabbix 1.8 before 1.8.2 allows remote attackers to execute
| arbitrary SQL commands via the user parameter in JSON data to
| api_jsonrpc.php.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1277
http://security-tracker.debian.org/tracker/CVE-2010-1277
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAku+8QYACgkQNxpp46476aohxgCeOJ/ft09ZEbsVRZQfZGKPOStl
dsIAni/gOpxw+gb/ZGH7pbP8ItreKgGH
=GH0v
-----END PGP SIGNATURE-----
Reply sent
to Christoph Haas <haas@debian.org>:
You have taken responsibility.
(Mon, 12 Apr 2010 19:51:09 GMT) (full text, mbox, link).
Notification sent
to Giuseppe Iuculano <iuculano@debian.org>:
Bug acknowledged by developer.
(Mon, 12 Apr 2010 19:51:10 GMT) (full text, mbox, link).
Message #10 received at 577058-close@bugs.debian.org (full text, mbox, reply):
Source: zabbix
Source-Version: 1:1.8.2-1
We believe that the bug you reported is fixed in the latest version of
zabbix, which is due to be installed in the Debian FTP archive:
zabbix-agent_1.8.2-1_amd64.deb
to main/z/zabbix/zabbix-agent_1.8.2-1_amd64.deb
zabbix-frontend-php_1.8.2-1_all.deb
to main/z/zabbix/zabbix-frontend-php_1.8.2-1_all.deb
zabbix-proxy-mysql_1.8.2-1_amd64.deb
to main/z/zabbix/zabbix-proxy-mysql_1.8.2-1_amd64.deb
zabbix-proxy-pgsql_1.8.2-1_amd64.deb
to main/z/zabbix/zabbix-proxy-pgsql_1.8.2-1_amd64.deb
zabbix-server-mysql_1.8.2-1_amd64.deb
to main/z/zabbix/zabbix-server-mysql_1.8.2-1_amd64.deb
zabbix-server-pgsql_1.8.2-1_amd64.deb
to main/z/zabbix/zabbix-server-pgsql_1.8.2-1_amd64.deb
zabbix_1.8.2-1.debian.tar.gz
to main/z/zabbix/zabbix_1.8.2-1.debian.tar.gz
zabbix_1.8.2-1.dsc
to main/z/zabbix/zabbix_1.8.2-1.dsc
zabbix_1.8.2.orig.tar.gz
to main/z/zabbix/zabbix_1.8.2.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 577058@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christoph Haas <haas@debian.org> (supplier of updated zabbix package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 10 Apr 2010 12:04:06 +0200
Source: zabbix
Binary: zabbix-agent zabbix-server-mysql zabbix-server-pgsql zabbix-frontend-php zabbix-proxy-pgsql zabbix-proxy-mysql
Architecture: source amd64 all
Version: 1:1.8.2-1
Distribution: unstable
Urgency: low
Maintainer: Christoph Haas <haas@debian.org>
Changed-By: Christoph Haas <haas@debian.org>
Description:
zabbix-agent - network monitoring solution - agent
zabbix-frontend-php - network monitoring solution - PHP front-end
zabbix-proxy-mysql - network monitoring solution - proxy (using MySQL)
zabbix-proxy-pgsql - network monitoring solution - proxy (using PostgreSQL)
zabbix-server-mysql - network monitoring solution - server (using MySQL)
zabbix-server-pgsql - network monitoring solution - server (using PostgreSQL)
Closes: 577058
Changes:
zabbix (1:1.8.2-1) unstable; urgency=low
.
* New upstream release
* Policy version is now 3.8.4 - no changes were needed.
* SQL injection bug fixed in 1.8.2 (closes: #577058)
* init.d scripts now depend on "remote_fs" instead of "local_fs"
as /usr may be a remote file system (fixes lintian warning).
Checksums-Sha1:
54d364e8395738837661acd3dc946a3450fbab5c 1501 zabbix_1.8.2-1.dsc
59573efdffe481f1e0d020f4e75b670daa837ded 3706540 zabbix_1.8.2.orig.tar.gz
7967c4427672f5554acab0a25e28edd3202b3634 171135 zabbix_1.8.2-1.debian.tar.gz
d28170b43823b7db91b809936fcc0c50f6a533ae 253930 zabbix-agent_1.8.2-1_amd64.deb
53cd0b86651b926b0e1a7ff7d1626e9c3d6e9a15 618444 zabbix-server-mysql_1.8.2-1_amd64.deb
be732d15fa15f21aa29d47e41409019ed0789346 628202 zabbix-server-pgsql_1.8.2-1_amd64.deb
91dec5d88e4980360d01bf2ad29de62db0246b36 558834 zabbix-proxy-pgsql_1.8.2-1_amd64.deb
57e17c54f47e2c8e8bdf87fadc9f859b90ae7658 549842 zabbix-proxy-mysql_1.8.2-1_amd64.deb
b32ab4701d57e06abdac07c42fef13e7586eb67d 1508132 zabbix-frontend-php_1.8.2-1_all.deb
Checksums-Sha256:
7f6b6f068edaa097d50e117d12b1ebde1b2d837bee413b05e577b023f6c211be 1501 zabbix_1.8.2-1.dsc
ba1d00454551c1c6f0d270f76718b69ce9f54c427e22acb5a13ccbc9e621fd81 3706540 zabbix_1.8.2.orig.tar.gz
0195a7557059aed47cce60946be279e53a62be7c6584f20808b729db6cda2ebf 171135 zabbix_1.8.2-1.debian.tar.gz
fac6ecfedc3589cf6fb08feba52a4b02e62f826a7e41e2e6cd72b889fd3cb686 253930 zabbix-agent_1.8.2-1_amd64.deb
558b2505b94d285cfc23d0112f0cf7b0a7a2aec323adaaea416e7ccd17ea9a82 618444 zabbix-server-mysql_1.8.2-1_amd64.deb
b5eb5a9e1469ec90f25475ca5240eb62c962434cc1771771b15566b759045f8b 628202 zabbix-server-pgsql_1.8.2-1_amd64.deb
cd96494c3935952d483b4bf18f171baa7eefcb48c95ecba3ad963f040df49ef0 558834 zabbix-proxy-pgsql_1.8.2-1_amd64.deb
99ca955a664251b8a518996beb30c9b36079968295f82379b49c2742ee0c7088 549842 zabbix-proxy-mysql_1.8.2-1_amd64.deb
3fc790098cf20d7f586139856ac21f272ec88da5f14ef8b7be715eb6d3e91711 1508132 zabbix-frontend-php_1.8.2-1_all.deb
Files:
86e6389fa23a97fa73513c48dc51bf8e 1501 net optional zabbix_1.8.2-1.dsc
fa4be4fa7ac20a33cc0aa5c27b827746 3706540 net optional zabbix_1.8.2.orig.tar.gz
dc69a128cbcde1c89642976d913e36eb 171135 net optional zabbix_1.8.2-1.debian.tar.gz
21326fe5627ff6f81657efb5a2b9bb7c 253930 net optional zabbix-agent_1.8.2-1_amd64.deb
5b11994801479a11f26570a24c267b66 618444 net optional zabbix-server-mysql_1.8.2-1_amd64.deb
efd1e9617666d8e96adb7c670d18f89d 628202 net optional zabbix-server-pgsql_1.8.2-1_amd64.deb
7b2480aa71981dafd870130cbc603410 558834 net optional zabbix-proxy-pgsql_1.8.2-1_amd64.deb
0816228ff6c56635c255946a90259cd1 549842 net optional zabbix-proxy-mysql_1.8.2-1_amd64.deb
e7192cf3bdfd967f90c27ff7e1283f36 1508132 net optional zabbix-frontend-php_1.8.2-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkvBpmcACgkQCV53xXnMZYZLFgCfVcCu+xkMj5mXmcHMuKbax6PH
sIUAoNQUFZhoiiNRjZfh/3VLAzYwlk14
=Jm3j
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 07 Mar 2011 09:23:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:46:36 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon