Debian Bug report logs -
#594304
CVE-2010-2790: Multiple cross-site scripting (XSS) vulnerabilities
Reported by: Giuseppe Iuculano <iuculano@debian.org>
Date: Wed, 25 Aug 2010 07:30:02 UTC
Severity: serious
Tags: security
Fixed in version zabbix/1:1.8.3-1
Done: Christoph Haas <haas@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Christoph Haas <haas@debian.org>:
Bug#594304; Package zabbix.
(Wed, 25 Aug 2010 07:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <iuculano@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Christoph Haas <haas@debian.org>.
(Wed, 25 Aug 2010 07:30:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: zabbix
Severity: serious
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for zabbix.
CVE-2010-2790[0]:
| Multiple cross-site scripting (XSS) vulnerabilities in the formatQuery
| function in frontends/php/include/classes/class.curl.php in Zabbix
| before 1.8.3rc1 allow remote attackers to inject arbitrary web script
| or HTML via the (1) filter_set, (2) show_details, (3) filter_rst, or
| (4) txt_select parameters to the triggers page (tr_status.php). NOTE:
| some of these details are obtained from third party information.
Unfortunately the vulnerability described above is not important enough
to get it fixed via regular security update in Debian stable.
However it would be nice if this could get fixed via a regular point update[1].
Please contact the release team for this.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2790
http://security-tracker.debian.org/tracker/CVE-2010-2790
[1] http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable
Cheers,
Giuseppe.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkx0xdoACgkQNxpp46476aqmsgCeLRb69yqdvE6IgcKjrF05NvKj
vPUAn0SH1Dk7JRBiItBq+/j0Kj5D933S
=d5AS
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Christoph Haas <haas@debian.org>:
Bug#594304; Package zabbix.
(Wed, 25 Aug 2010 21:39:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Christoph Haas <email@christoph-haas.de>:
Extra info received and forwarded to list. Copy sent to Christoph Haas <haas@debian.org>.
(Wed, 25 Aug 2010 21:39:11 GMT) (full text, mbox, link).
Message #10 received at 594304@bugs.debian.org (full text, mbox, reply):
Thanks for the bug report. I'm currently preparing a 1.8.3 package and
will contact the release team. Maybe we can get 1.8.3 into Squeeze then.
Cheers
Christoph
Reply sent
to Christoph Haas <haas@debian.org>:
You have taken responsibility.
(Fri, 17 Sep 2010 19:51:19 GMT) (full text, mbox, link).
Notification sent
to Giuseppe Iuculano <iuculano@debian.org>:
Bug acknowledged by developer.
(Fri, 17 Sep 2010 19:51:19 GMT) (full text, mbox, link).
Message #15 received at 594304-close@bugs.debian.org (full text, mbox, reply):
Source: zabbix
Source-Version: 1:1.8.3-1
We believe that the bug you reported is fixed in the latest version of
zabbix, which is due to be installed in the Debian FTP archive:
zabbix-agent_1.8.3-1_amd64.deb
to main/z/zabbix/zabbix-agent_1.8.3-1_amd64.deb
zabbix-frontend-php_1.8.3-1_all.deb
to main/z/zabbix/zabbix-frontend-php_1.8.3-1_all.deb
zabbix-proxy-mysql_1.8.3-1_amd64.deb
to main/z/zabbix/zabbix-proxy-mysql_1.8.3-1_amd64.deb
zabbix-proxy-pgsql_1.8.3-1_amd64.deb
to main/z/zabbix/zabbix-proxy-pgsql_1.8.3-1_amd64.deb
zabbix-server-mysql_1.8.3-1_amd64.deb
to main/z/zabbix/zabbix-server-mysql_1.8.3-1_amd64.deb
zabbix-server-pgsql_1.8.3-1_amd64.deb
to main/z/zabbix/zabbix-server-pgsql_1.8.3-1_amd64.deb
zabbix_1.8.3-1.debian.tar.gz
to main/z/zabbix/zabbix_1.8.3-1.debian.tar.gz
zabbix_1.8.3-1.dsc
to main/z/zabbix/zabbix_1.8.3-1.dsc
zabbix_1.8.3.orig.tar.gz
to main/z/zabbix/zabbix_1.8.3.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 594304@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christoph Haas <haas@debian.org> (supplier of updated zabbix package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 21 Aug 2010 15:41:19 +0200
Source: zabbix
Binary: zabbix-agent zabbix-server-mysql zabbix-server-pgsql zabbix-frontend-php zabbix-proxy-pgsql zabbix-proxy-mysql
Architecture: source amd64 all
Version: 1:1.8.3-1
Distribution: unstable
Urgency: low
Maintainer: Christoph Haas <haas@debian.org>
Changed-By: Christoph Haas <haas@debian.org>
Description:
zabbix-agent - network monitoring solution - agent
zabbix-frontend-php - network monitoring solution - PHP front-end
zabbix-proxy-mysql - network monitoring solution - proxy (using MySQL)
zabbix-proxy-pgsql - network monitoring solution - proxy (using PostgreSQL)
zabbix-server-mysql - network monitoring solution - server (using MySQL)
zabbix-server-pgsql - network monitoring solution - server (using PostgreSQL)
Closes: 578879 581148 581149 581150 581151 581152 591967 594304
Changes:
zabbix (1:1.8.3-1) unstable; urgency=low
.
* New upstream release fixes security issue CVE-2010-2790 (closes: #594304)
* Removed flash clock applet that upstream ships without source
(closes: #591967)
* Removed bashism from zabbix agent init.d file (closes: #581148)
* Removed bashism from zabbix proxy mysql init.d file (closes: #581149)
* Removed bashism from zabbix proxy pgsql init.d file (closes: #581150)
* Removed bashism from zabbix server mysql init.d file (closes: #581151)
* Removed bashism from zabbix server pgsql init.d file (closes: #581152)
* Added weak dependency on mysql/postgresql in the LSB section of the
init.d scripts for zabbix-server-mysql and zabbix-server-pgsql
(closes: #578879)
Checksums-Sha1:
502bfe2aed5a62a561b8a5138fa8bde0aef963b3 1526 zabbix_1.8.3-1.dsc
68f5d1f12897bc69c6ff5deea2bad82b0c1f5761 4106152 zabbix_1.8.3.orig.tar.gz
aeeee540d25b89538721bd984aee9c89a54f4d74 39329 zabbix_1.8.3-1.debian.tar.gz
a476c4510b5a5ce8034dc2ffe3aba38d9fb25f86 284888 zabbix-agent_1.8.3-1_amd64.deb
581ae97ae4962e1738537d9c6fcd8ea4b3d7cd6d 661938 zabbix-server-mysql_1.8.3-1_amd64.deb
93ae715e2d47ef81998034770b54b0707383a1a9 672740 zabbix-server-pgsql_1.8.3-1_amd64.deb
f6c27309a8f785d363e67d19f56ecbf064abd0bd 308580 zabbix-proxy-pgsql_1.8.3-1_amd64.deb
d168f349601459bad33e59d7ab177a74340f2f97 307788 zabbix-proxy-mysql_1.8.3-1_amd64.deb
8a07015358d749c5c5933ecd30cd400aea2c912b 1895036 zabbix-frontend-php_1.8.3-1_all.deb
Checksums-Sha256:
0b9fa5c1e04dc910ea6f93cac1511a9fb68d29368488af2d5117550560a7d0c0 1526 zabbix_1.8.3-1.dsc
37262d751c9661a361380bf1480d277d81621d8a49c60a81667cbe258021065c 4106152 zabbix_1.8.3.orig.tar.gz
5ee929be20c9a9e04a36ce7a0c69f09f6b165b032e758800c2104cd06d6caf9b 39329 zabbix_1.8.3-1.debian.tar.gz
df9f57404630dc219d8692d5af9728198817108446eccbbda039f74553a1d4ce 284888 zabbix-agent_1.8.3-1_amd64.deb
f6acc6bae6ccbb1153cc3d7fa7205cbb5475c30f99c2a3e2be78a962b313c7e9 661938 zabbix-server-mysql_1.8.3-1_amd64.deb
176781967d23653993159e05488db6e518b476d85eb055baba7c8aa86af6927c 672740 zabbix-server-pgsql_1.8.3-1_amd64.deb
cb3dbd4eeea7ee5584f1ed4fadc6452d83b6a974724a453e92d913cb87992e1e 308580 zabbix-proxy-pgsql_1.8.3-1_amd64.deb
a1769020fc19bd066af1f8198a86df51de483d8c7011fc64cb6bfab1d8eddce6 307788 zabbix-proxy-mysql_1.8.3-1_amd64.deb
12762db1666ddeccefd64d1de6f7dafa38b4e89a10c0cd9b7ad190b0af62b4ea 1895036 zabbix-frontend-php_1.8.3-1_all.deb
Files:
582b758296d546589f8c2b7c56b817c8 1526 net optional zabbix_1.8.3-1.dsc
575c31880d73f6fe41e730874ebfc633 4106152 net optional zabbix_1.8.3.orig.tar.gz
b4e0d1ff6dd242ebf3108175a4eb818b 39329 net optional zabbix_1.8.3-1.debian.tar.gz
c53326cf9064138b446c61b7c9c4753a 284888 net optional zabbix-agent_1.8.3-1_amd64.deb
ad6632252d74d57301c769a9404b857d 661938 net optional zabbix-server-mysql_1.8.3-1_amd64.deb
650ed27aab5ee52a520c63844b0fef6f 672740 net optional zabbix-server-pgsql_1.8.3-1_amd64.deb
6efe466b26074693e125a083716c8dd8 308580 net optional zabbix-proxy-pgsql_1.8.3-1_amd64.deb
651a300907e72c8ccbe0a1bac7e32709 307788 net optional zabbix-proxy-mysql_1.8.3-1_amd64.deb
a5e36728584fda41384f7de303d43035 1895036 net optional zabbix-frontend-php_1.8.3-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkyRJWIACgkQCV53xXnMZYbwRgCeIx9YbThnUU+YoquW1C/d1h4s
VooAnR0AcA5g6cyxdAQQW33R7shqNGIL
=oxzB
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 07 Mar 2011 07:42:22 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:00:02 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon