Debian Bug report logs -
#479034
zoneminder: CVE-2008-1381 arbitrary code execution via crafted URL
Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>
Date: Fri, 2 May 2008 11:51:01 UTC
Severity: grave
Tags: patch, security
Fixed in version zoneminder/1.23.3-1
Done: Peter Howard <pjh@northern-ridge.com.au>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Peter Howard <pjh@northern-ridge.com.au>:
Bug#479034; Package zoneminder.
(full text, mbox, link).
Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Peter Howard <pjh@northern-ridge.com.au>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: zoneminder
Severity: grave
Tags: security
Justification: user security hole
Hi
The following CVE(1) has been issued against zoneminder.
CVE-2008-2033
Multiple unspecified vulnerabilities in ZoneMinder before 1.23.3
allow remote authenticated users to execute arbitrary code via unknown attack vectors.
Cheers
Steffen
(1) http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2033
Information forwarded to debian-bugs-dist@lists.debian.org, Peter Howard <pjh@northern-ridge.com.au>:
Bug#479034; Package zoneminder.
(full text, mbox, link).
Acknowledgement sent to Tomas Hoger <thoger@redhat.com>:
Extra info received and forwarded to list. Copy sent to Peter Howard <pjh@northern-ridge.com.au>.
(full text, mbox, link).
Message #10 received at 479034@bugs.debian.org (full text, mbox, reply):
Hi!
This is a duplicate of CVE-2008-1381. See references for CVE-2008-1381
for details.
HTH
--
Tomas Hoger
Changed Bug title to `zoneminder: CVE-2008-1381 multiple vulnerabilities' from `CVE-2008-2033: Multiple vulnerabilities'.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Sun, 04 May 2008 12:21:04 GMT) (full text, mbox, link).
Changed Bug title to `zoneminder: CVE-2008-1381 arbitrary code execution via crafted URL' from `zoneminder: CVE-2008-1381 multiple vulnerabilities'.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Sun, 04 May 2008 12:33:04 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Peter Howard <pjh@northern-ridge.com.au>:
Bug#479034; Package zoneminder.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Peter Howard <pjh@northern-ridge.com.au>.
(full text, mbox, link).
Message #19 received at 479034@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 479034 + patch
thanks
Hi,
I intent to NMU this bug. Attached is a patch to fix this
issue. It will be also archived on:
http://people.debian.org/~nion/nmu-diff/zoneminder-1.23.2-2_1.23.2-2.1.patch
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[zoneminder-1.23.2-2_1.23.2-2.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]
Tags added: patch
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Sun, 04 May 2008 12:45:05 GMT) (full text, mbox, link).
Reply sent to Peter Howard <pjh@northern-ridge.com.au>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #26 received at 479034-close@bugs.debian.org (full text, mbox, reply):
Source: zoneminder
Source-Version: 1.23.3-1
We believe that the bug you reported is fixed in the latest version of
zoneminder, which is due to be installed in the Debian FTP archive:
zoneminder_1.23.3-1.diff.gz
to pool/main/z/zoneminder/zoneminder_1.23.3-1.diff.gz
zoneminder_1.23.3-1.dsc
to pool/main/z/zoneminder/zoneminder_1.23.3-1.dsc
zoneminder_1.23.3-1_i386.deb
to pool/main/z/zoneminder/zoneminder_1.23.3-1_i386.deb
zoneminder_1.23.3.orig.tar.gz
to pool/main/z/zoneminder/zoneminder_1.23.3.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 479034@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Peter Howard <pjh@northern-ridge.com.au> (supplier of updated zoneminder package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 19 Mar 2008 01:02:50 +1000
Source: zoneminder
Binary: zoneminder
Architecture: source i386
Version: 1.23.3-1
Distribution: unstable
Urgency: high
Maintainer: Peter Howard <pjh@northern-ridge.com.au>
Changed-By: Peter Howard <pjh@northern-ridge.com.au>
Description:
zoneminder - Linux video camera security and surveillance solution
Closes: 479034
Changes:
zoneminder (1.23.3-1) unstable; urgency=high
.
* Initial version for 1.23.3 - security fix.
(closes: #479034)
Checksums-Sha1:
19fa939f56cb5d9b9fc7d8f0699edd4b94aaed82 1181 zoneminder_1.23.3-1.dsc
c71609a7e790ec14984d59ec315613cf0d32f865 770154 zoneminder_1.23.3.orig.tar.gz
f7d6688f0addb9d577c4842a74f48fcfca1743d8 31690 zoneminder_1.23.3-1.diff.gz
174aebda4e79e933ecd239e24505d2a3d7474577 965294 zoneminder_1.23.3-1_i386.deb
Checksums-Sha256:
4d4944ce9954ceb740ccac9310c9c56bcd614347b0b6d85d7fe30dec93090d96 1181 zoneminder_1.23.3-1.dsc
8cd7c17955facfd762dfac5c76b9ec12c7b4ed90286e3644cbb762398a921c39 770154 zoneminder_1.23.3.orig.tar.gz
e1679a5043215875f23f1f084381249fc108515767af2d34db32184cbd40cdbc 31690 zoneminder_1.23.3-1.diff.gz
7547856104e3d8629df2a29a0df946a215c5b2ed3a9601e700cf61bbddf6281c 965294 zoneminder_1.23.3-1_i386.deb
Files:
50a7b738f3c71659a056ff073ced745d 1181 net optional zoneminder_1.23.3-1.dsc
96b0df91f162ff65576347ff343f11ed 770154 net optional zoneminder_1.23.3.orig.tar.gz
fde3bbed065bbdbe23424659c43e3b95 31690 net optional zoneminder_1.23.3-1.diff.gz
46bc0d4b6b8e61b0facb5b8ab8e41895 965294 net optional zoneminder_1.23.3-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIHpD+CfB0CMh//C8RAo2hAKC/gVb+KOWbRsJKLM3f8qY9cDWA+QCgkK6Q
EaXQKlhRRgduZ+h4eNF5vHg=
=wEE+
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 16 Jul 2008 07:29:12 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:47:27 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon