Security vulnerabilities (CVE-2011-2904, CVE-2011-3263, CVE-2011-3265, CVE-2011-4674)

Debian Bug report logs - #651225
Security vulnerabilities (CVE-2011-2904, CVE-2011-3263, CVE-2011-3265, CVE-2011-4674)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: submit@bugs.debian.org

Subject: Security vulnerabilities (CVE-2011-2904, CVE-2011-3263, CVE-2011-3265, CVE-2011-4674)

Date: Tue, 06 Dec 2011 21:59:21 +0100

Package: zabbix
Version: 1:1.8.2-1squeeze2
Tags: security
Severity: grave

There appear to be several unfixed unverabilities in Zabbix in
squeeze, including SQL injection vulnerabilities:

http://security-tracker.debian.org/tracker/CVE-2011-2904
http://security-tracker.debian.org/tracker/CVE-2011-3263
http://security-tracker.debian.org/tracker/CVE-2011-3265
http://security-tracker.debian.org/tracker/CVE-2011-4674

We would appreciate if you prepared fixed packages and contacted the
security team (preferably with a source debdiff of the porposed
upload).  Thanks.

Message #10 received at 651225@bugs.debian.org (full text, mbox, reply):

From: Christoph Haas <haas@debian.org>

To: 651225@bugs.debian.org, 652664@bugs.debian.org, Moritz Muehlenhoff <jmm@debian.org>

Subject: Status on security issues

Date: Tue, 20 Dec 2011 01:15:32 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://security-tracker.debian.org/tracker/CVE-2011-2904
I have extracted a patch using
svn diff -r r20742:r20789 frontends/php/acknow.php
from the upstream sources.

http://security-tracker.debian.org/tracker/CVE-2011-3263
I have extracted a patch using
svn diff -r r19527:r19561
from the upstream sources.

http://security-tracker.debian.org/tracker/CVE-2011-3265
I could not determine a proper minimal patch and am waiting for the
upstream developers' support. This issue was fixed in 1.8.6 and thus
does not affect "sid".

http://security-tracker.debian.org/tracker/CVE-2011-4674
I could not determine a proper minimal patch and am waiting for the
upstream developers' support. This issue was fixed in 1.8.4 and does not
affect "sid".

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652664
https://support.zabbix.com/browse/ZBX-4015
I could not determine a proper minimal patch and am waiting for the
upstream developers' support. For "sid" we can wait for 1.8.10 to have
the issue fixed.

Would you like to get a minimal patch for the first two issues already?
Or rather wait for the upstream response of the remaining three issues?

…Christoph
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7v06MACgkQCV53xXnMZYYEswCeLVcpQgUQSdQ/kO7fbzCCtpQj
ptsAnR7eMir+gwkFatxELJf+yrApsG7y
=y1Yg
-----END PGP SIGNATURE-----

Message #15 received at 651225@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Christoph Haas <haas@debian.org>

Cc: 651225@bugs.debian.org, 652664@bugs.debian.org

Subject: Re: Status on security issues

Date: Mon, 26 Dec 2011 12:55:55 +0100

On Tue, Dec 20, 2011 at 01:15:32AM +0100, Christoph Haas wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> http://security-tracker.debian.org/tracker/CVE-2011-2904
> I have extracted a patch using
> svn diff -r r20742:r20789 frontends/php/acknow.php
> from the upstream sources.
> 
> http://security-tracker.debian.org/tracker/CVE-2011-3263
> I have extracted a patch using
> svn diff -r r19527:r19561
> from the upstream sources.
> 
> http://security-tracker.debian.org/tracker/CVE-2011-3265
> I could not determine a proper minimal patch and am waiting for the
> upstream developers' support. This issue was fixed in 1.8.6 and thus
> does not affect "sid".
> 
> http://security-tracker.debian.org/tracker/CVE-2011-4674
> I could not determine a proper minimal patch and am waiting for the
> upstream developers' support. This issue was fixed in 1.8.4 and does not
> affect "sid".
> 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652664
> https://support.zabbix.com/browse/ZBX-4015
> I could not determine a proper minimal patch and am waiting for the
> upstream developers' support. For "sid" we can wait for 1.8.10 to have
> the issue fixed.
> 
> Would you like to get a minimal patch for the first two issues already?
> Or rather wait for the upstream response of the remaining three issues?

Let's rather wait until we have a complete patch set.

Thanks,
        Moritz

Message #20 received at 651225@bugs.debian.org (full text, mbox, reply):

From: Christoph Haas <haas@debian.org>

To: 651225@bugs.debian.org

Subject: Concerning hobbits…

Date: Sun, 01 Jan 2012 19:39:05 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have talked to the upstream developers and they are still evaluating
(within their means) whether a decent backported patch for 1.8.2 can be
provided. They have pointed me to using the newer version instead that
has the security flaws fixed. And I have of course explained the Debian
policy to them that doesn't allow it and they understand it but perhaps
can't help here. I am still waiting for their feedback but don't have
much hope.

Meanwhile I have tried to determine the kind of patch they did to fix
the bugs. But unfortunately those security bugs were fixed along with
other patches in a big commit/patchset. Not being a decent PHP coder I
failed to backport the patches myself.

What will we do if upstream can't help either?

Cheers
 Christoph
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8AqEUACgkQCV53xXnMZYYbuQCglFutq8xBTguRfkuTMMNFZdF7
fTQAoIWCYTxMefVPAi/0M9p0wSoIA4Pu
=vvVp
-----END PGP SIGNATURE-----

Message #25 received at 651225@bugs.debian.org (full text, mbox, reply):

From: Harald Dunkel <harri@afaics.de>

To: 651225@bugs.debian.org

Subject: Re: Security vulnerabilities (CVE-2011-2904, CVE-2011-3263, CVE-2011-3265, CVE-2011-4674)

Date: Sat, 25 Feb 2012 16:37:53 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am running 1.8.6 and 1.8.10 backported to Squeeze for quite
some time. They build fine and work nicely. If it is allowed to
make a suggestion:

If you don't want to upgrade Zabbix in Squeeze to version
1.8.10, and if upstream doesn't provide patches for the
security problems in 1.8.2, then I do not see any other
way than to drop 1.8.2 from Squeeze and to rely upon debian-
backports to provide an up-to-date version.


Regards

Harri
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk9JAFEACgkQUTlbRTxpHjeQaACeO6l6IwGN3RHzmIbUKT1q5ory
qUoAn0q/XunIrIhXAltosFPrg/QE/wRi
=c7/r
-----END PGP SIGNATURE-----

Message #30 received at 651225@bugs.debian.org (full text, mbox, reply):

From: Christoph Haas <email@christoph-haas.de>

To: Harald Dunkel <harri@afaics.de>, 651225@bugs.debian.org

Subject: Re: Bug#651225: Security vulnerabilities (CVE-2011-2904, CVE-2011-3263, CVE-2011-3265, CVE-2011-4674)

Date: Sun, 18 Mar 2012 14:54:41 +0100

I have received a very simple patch from the upstream developers
(perhaps) fixing just a minor issue regarding one of the several
reported security issues.

I'm giving up here trying to get a security patch. There are way too
many changes across the versions and upstream doesn't have resources to
figure out the exact patches and backport them to 1.8.2. So (@security
team) what do we do? Live with it? Maintain a backport? Drop the
package? I'm screwed…

…Christoph

Message #35 received at 651225-close@bugs.debian.org (full text, mbox, reply):

From: Christoph Haas <haas@debian.org>

To: 651225-close@bugs.debian.org

Subject: Bug#651225: fixed in zabbix 1:2.0.1+dfsg-1

Date: Mon, 30 Jul 2012 20:50:28 +0000

Source: zabbix
Source-Version: 1:2.0.1+dfsg-1

We believe that the bug you reported is fixed in the latest version of
zabbix, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 651225@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christoph Haas <haas@debian.org> (supplier of updated zabbix package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 24 May 2012 00:34:04 +0200
Source: zabbix
Binary: zabbix-agent zabbix-frontend-php zabbix-proxy-mysql zabbix-proxy-pgsql zabbix-proxy-sqlite3 zabbix-server-mysql zabbix-server-pgsql
Architecture: source amd64 all
Version: 1:2.0.1+dfsg-1
Distribution: unstable
Urgency: low
Maintainer: Christoph Haas <haas@debian.org>
Changed-By: Christoph Haas <haas@debian.org>
Description: 
 zabbix-agent - network monitoring solution - agent
 zabbix-frontend-php - network monitoring solution - PHP front-end
 zabbix-proxy-mysql - network monitoring solution - proxy (using MySQL)
 zabbix-proxy-pgsql - network monitoring solution - proxy (using PostgreSQL)
 zabbix-proxy-sqlite3 - network monitoring solution - proxy (using SQLite3)
 zabbix-server-mysql - network monitoring solution - server (using MySQL)
 zabbix-server-pgsql - network monitoring solution - server (using PostgreSQL)
Closes: 651225 664067 674175 674941
Changes: 
 zabbix (1:2.0.1+dfsg-1) unstable; urgency=low
 .
   [ Christoph Haas ]
   * New upstream release. (closes: #674941, #674175, #651225)
   * Scriptaculous Javascript library removed.
   * Configure option --with-pgsql renamed to --with-postgresql
   * Added 'status' option in usage description of init.d files (closes:
     #664067)
   * Removed dbconfig-common. Reasons are explained in debian/TODO.Debian
   * Removed debconf and corresponding .po files.
   * Removed automatic configuration of frontend-php to reduce divergence
     from upstream installation instructions.
   * Documented database instalation/upgrade.
   * Introduced /etc/default files to control services' automatic startup.
 .
   [ Dmitry Smirnov ]
   * Added new 'zabbix-server-sqlite3' package
   * Refactored debian/rules for newer debhelper & compat v9
     + hardening
     + automatic parallel build on linux
     + use dh-autoreconf instead of autotools-dev
     + --as-needed to reduce needless linking (when available)
     + updated path to '--sysconfdir' configure option
     + conditional '--with-openipmi' depending on library availability
   * debian/control:
     + standards to 3.9.3
     + added Homepage
     - dropped 'quilt' from Build-Depends
     + Build-Depends list sorted and updated
     + exclude libopenipmi-dev from Build-Depends on "hurd" and "arm"
     + zabbix-backends-php to Suggests php5 backends
     + added myself to Uploaders
     + DM-Upload-Allowed: yes! (Thanks Christoph)
     + sorted packages alphabetically
   * added sample configuration for 'nginx' web server
   * added missing man page
   * install patched upstream man pages instead of embedded ones
   * consolidated .logrotate and .manpages with symbolic links
   * introduced postrotate to zabbix-agent.logrotate
   * moved note about PHP settings to README.Debian
     in zabix-frontend-php package
   * Documented miscellaneous issues in README.source
   * debian/copyright to copyright-format-1.0
   * new patches:
     + to correct paths in SQL schema upgrade files
     + to correct path in man pages
     + to correct man pages section numbers (ZBX-5166)
     + to replace 'nocrypto' patch with better one
     + to fix columns sorting in frontend-php (ZBX-4986)
   * DFSG-repackaging of upstream source
   * debian source compression to .xz
   * lintianisation
   * compress *.sql files in zabbix-server-* packages
   * updated *.init files to:
     + check and report if daemon is already running.
     + always invoke 'chown', not just when directory do not exist.
     + move variables definition section above defaults file import
       to allow potential customising and redefining.
     + use more up-to-date syntax.
     + use LSB functions for messages output.
     + capture daemon output and integrate it to LSB messaging.
     + TERM/30/KILL/5 when daemon is not stopping.
     + report status using status_of_proc.
Checksums-Sha1: 
 7fbe5ace706d025c7fcb7ea03ccd824a10d83033 1973 zabbix_2.0.1+dfsg-1.dsc
 c190ccd64b752eb7aefe6f2e914feaa1bf42e8fa 4887276 zabbix_2.0.1+dfsg.orig.tar.xz
 300642590db10805bfcfa5ccce13f61f371651ef 28644 zabbix_2.0.1+dfsg-1.debian.tar.xz
 01a79903862a4455b4f2cd4208c8782024cb92e3 384136 zabbix-agent_2.0.1+dfsg-1_amd64.deb
 ee784d7614b417bd8de907b14ea039621c3ce705 3747238 zabbix-frontend-php_2.0.1+dfsg-1_all.deb
 226530ccbe327be44f7997d7703e0b3704c1ffc7 505952 zabbix-proxy-mysql_2.0.1+dfsg-1_amd64.deb
 32652e6224147421d2ee336eb57dc8ad3eefd9fd 506814 zabbix-proxy-pgsql_2.0.1+dfsg-1_amd64.deb
 ac5a23cca05ad044acf595f6241b392d9a03fdac 482714 zabbix-proxy-sqlite3_2.0.1+dfsg-1_amd64.deb
 b837e391b18ad8375b6ee13598568a58a574fd5f 1680906 zabbix-server-mysql_2.0.1+dfsg-1_amd64.deb
 71acb0bcce20b6fbfbe7b10d4f8882e0a1718d17 1680370 zabbix-server-pgsql_2.0.1+dfsg-1_amd64.deb
Checksums-Sha256: 
 47a867650eef0561286e3398af734004a2e10c98bc44e71cb220832791d3a686 1973 zabbix_2.0.1+dfsg-1.dsc
 94fb1f35a93419080b3a8832c417f98f8695823e9f0abd619e0e4c6cf5378bd4 4887276 zabbix_2.0.1+dfsg.orig.tar.xz
 f87f350d6bd67d36e5a400043999c486e7a7fd909f8bcd030558bdbd901c5e53 28644 zabbix_2.0.1+dfsg-1.debian.tar.xz
 afc8c31999dbbadab28b7c81622ba51658433dbb3a3d21fb65b7fd4930b48f5c 384136 zabbix-agent_2.0.1+dfsg-1_amd64.deb
 14f52e8c25740c5daa18205636f84edd6f5825e733047e2b19f8b2f3de194931 3747238 zabbix-frontend-php_2.0.1+dfsg-1_all.deb
 679577fe0ba375769a2ef427c985e00e94fb9f12dc87f2bd41abc52923da6262 505952 zabbix-proxy-mysql_2.0.1+dfsg-1_amd64.deb
 de5e1da65ba5996191496d2c0403ec77435a94c342605b8abad5add5c3c007f8 506814 zabbix-proxy-pgsql_2.0.1+dfsg-1_amd64.deb
 87005656d3eab9a879f638de25ee9443026125fdb13f8ef6749bac3d216015bc 482714 zabbix-proxy-sqlite3_2.0.1+dfsg-1_amd64.deb
 7e94095c72fce6277ff1ae112fcbba215d2c35358cd27de277526a909079ea4a 1680906 zabbix-server-mysql_2.0.1+dfsg-1_amd64.deb
 5084720928a625361aaf0aa1cf55a6f85ad820534a101019cc6b79c631d255b8 1680370 zabbix-server-pgsql_2.0.1+dfsg-1_amd64.deb
Files: 
 b19c2db44d222cf5296b7f7ead5f004e 1973 net optional zabbix_2.0.1+dfsg-1.dsc
 46559f1fa600c1f9d474cc7a4dc0677c 4887276 net optional zabbix_2.0.1+dfsg.orig.tar.xz
 296103852dfe0c88507b230ea262894a 28644 net optional zabbix_2.0.1+dfsg-1.debian.tar.xz
 bed61bac118cf922278f9883f784c68a 384136 net optional zabbix-agent_2.0.1+dfsg-1_amd64.deb
 d9b4a3c213a9cf4bdb1c87417fd3dfd7 3747238 net optional zabbix-frontend-php_2.0.1+dfsg-1_all.deb
 0246f7ce3a416880ae71b8697de2f965 505952 net optional zabbix-proxy-mysql_2.0.1+dfsg-1_amd64.deb
 ac0b0821edeb853326a4fa53883e0cb0 506814 net optional zabbix-proxy-pgsql_2.0.1+dfsg-1_amd64.deb
 af36d5ef934f91a4350862ae7576e146 482714 net optional zabbix-proxy-sqlite3_2.0.1+dfsg-1_amd64.deb
 3eb3ecda100c535ad047de9113687f97 1680906 net optional zabbix-server-mysql_2.0.1+dfsg-1_amd64.deb
 64d1480a16459e52c4304250c9531374 1680370 net optional zabbix-server-pgsql_2.0.1+dfsg-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlASua8ACgkQCV53xXnMZYb/IACeOu4GESp+UK4oiVVJvUNQzMLg
38UAoMDHsU3X4QkBkjbXKHCMExrsgUSY
=j2gL
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.