Related Vulnerabilities: CVE-2017-2824 CVE-2017-2825

Source

Debian Bug report logs - #863584
zabbix: CVE-2017-2824 CVE-2017-2825

Package: src:zabbix; Maintainer for src:zabbix is Dmitry Smirnov <onlyjob@debian.org>;

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Sun, 28 May 2017 20:45:05 UTC

Severity: grave

Tags: security

Found in version zabbix/1:2.2.7+dfsg-2

Fixed in versions zabbix/1:3.0.7+dfsg-3, zabbix/1:2.2.7+dfsg-2+deb8u3

Done: Dmitry Smirnov <onlyjob@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://support.zabbix.com/browse/ZBX-12075

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Dmitry Smirnov <onlyjob@debian.org>:
Bug#863584; Package src:zabbix. (Sun, 28 May 2017 20:45:07 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Dmitry Smirnov <onlyjob@debian.org>. (Sun, 28 May 2017 20:45:07 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: zabbix
Severity: grave
Tags: security

Please see
http://www.talosintelligence.com/reports/TALOS-2017-0325/
http://www.talosintelligence.com/reports/TALOS-2017-0326/

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Dmitry Smirnov <onlyjob@debian.org>:
Bug#863584; Package src:zabbix. (Mon, 29 May 2017 05:45:02 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Dmitry Smirnov <onlyjob@debian.org>. (Mon, 29 May 2017 05:45:03 GMT) (full text, mbox, link).

Message #10 received at 863584@bugs.debian.org (full text, mbox, reply):

Control: retitle zabbix: CVE-2017-2824 CVE-2017-2825

On Sun, May 28, 2017 at 10:42:47PM +0200, Moritz Muehlenhoff wrote:
> Source: zabbix
> Severity: grave
> Tags: security
> 
> Please see
> http://www.talosintelligence.com/reports/TALOS-2017-0325/
> http://www.talosintelligence.com/reports/TALOS-2017-0326/

The second one now leads to a 404, looks like TALOS report has a
whiespace suffixed in the URL,
https://www.talosintelligence.com/reports/TALOS-2017-0326%20/ should
work.

And looks the CVE was corrected as well (previously both referenced
CVE-2017-2824).

Regards,
Salvatore

Changed Bug title to 'zabbix: CVE-2017-2824 CVE-2017-2825' from 'CVE-2017-2824'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 29 May 2017 06:24:03 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Dmitry Smirnov <onlyjob@debian.org>:
Bug#863584; Package src:zabbix. (Mon, 29 May 2017 09:18:02 GMT) (full text, mbox, link).

Acknowledgement sent to Alexei Vladishev <alexei.vladishev@zabbix.com>:
Extra info received and forwarded to list. Copy sent to Dmitry Smirnov <onlyjob@debian.org>. (Mon, 29 May 2017 09:18:02 GMT) (full text, mbox, link).

Message #17 received at submit@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hey all,

Upstream here. Both issues has already been fixed under https://support.zabbix.com/browse/ZBX-12075 <https://support.zabbix.com/browse/ZBX-12075>.

Kind regards,
Alexei

> On 28 May 2017, at 23:42, Moritz Muehlenhoff <jmm@debian.org> wrote:
> 
> Source: zabbix
> Severity: grave
> Tags: security
> 
> Please see
> http://www.talosintelligence.com/reports/TALOS-2017-0325/
> http://www.talosintelligence.com/reports/TALOS-2017-0326/
> 
> Cheers,
>        Moritz
> 
>

[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Dmitry Smirnov <onlyjob@debian.org>:
Bug#863584; Package src:zabbix. (Mon, 29 May 2017 09:18:07 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Dmitry Smirnov <onlyjob@debian.org>:
Bug#863584; Package src:zabbix. (Wed, 31 May 2017 21:00:03 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Dmitry Smirnov <onlyjob@debian.org>. (Wed, 31 May 2017 21:00:03 GMT) (full text, mbox, link).

Message #27 received at 863584@bugs.debian.org (full text, mbox, reply):

On Mon, May 29, 2017 at 12:05:59PM +0300, Alexei Vladishev wrote:
> Hey all,
> 
> Upstream here. Both issues has already been fixed under https://support.zabbix.com/browse/ZBX-12075 <https://support.zabbix.com/browse/ZBX-12075>.

Dmitry, can you please upload a fix in time for the stretch release?

Cheers,
       Moritz

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#863584; Package src:zabbix. (Thu, 01 Jun 2017 21:27:02 GMT) (full text, mbox, link).

Acknowledgement sent to Dmitry Smirnov <onlyjob@debian.org>:
Extra info received and forwarded to list. (Thu, 01 Jun 2017 21:27:02 GMT) (full text, mbox, link).

Message #32 received at 863584@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Wednesday, 31 May 2017 10:57:01 PM AEST Moritz Mühlenhoff wrote:
> Dmitry, can you please upload a fix in time for the stretch release?

I'm planning to work on it this weekend... I'll let you know how it goes.

-- 
Best wishes,
 Dmitry Smirnov.

---

The more false we destroy the more room there will be for the true.
         -- Robert G. Ingersoll, 1902

[signature.asc (application/pgp-signature, inline)]

Added tag(s) stretch-ignore. Request was from Niels Thykier <niels@thykier.net> to control@bugs.debian.org. (Sat, 03 Jun 2017 18:36:03 GMT) (full text, mbox, link).

Set Bug forwarded-to-address to 'https://support.zabbix.com/browse/ZBX-12075'. Request was from Dmitry Smirnov <onlyjob@debian.org> to control@bugs.debian.org. (Sun, 04 Jun 2017 07:39:02 GMT) (full text, mbox, link).

Added tag(s) pending. Request was from Dmitry Smirnov <onlyjob@member.fsf.org> to control@bugs.debian.org. (Sun, 04 Jun 2017 07:45:09 GMT) (full text, mbox, link).

Message sent on to Moritz Muehlenhoff <jmm@debian.org>:
Bug#863584. (Sun, 04 Jun 2017 07:45:11 GMT) (full text, mbox, link).

Message #41 received at 863584-submitter@bugs.debian.org (full text, mbox, reply):

tag 863584 pending
--

We believe that the bug #863584 you reported has been fixed in the Git
repository. You can see the commit message below and/or inspect the
commit contents at:

    http://anonscm.debian.org/cgit/collab-maint/zabbix.git/diff/?id=ea3c3ea

(This message was generated automatically by
 'git-post-receive-tag-pending-commitmsg' hook).
---
commit ea3c3ea (HEAD, master)
Author: Dmitry Smirnov <onlyjob@member.fsf.org>
Date:   Sun Jun 4 07:32:25 2017

    New upstream patches to fix CVE-2017-2824, CVE-2017-2825 (Closes: #863584).

Reply sent to Dmitry Smirnov <onlyjob@debian.org>:
You have taken responsibility. (Sun, 04 Jun 2017 09:12:25 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Sun, 04 Jun 2017 09:12:25 GMT) (full text, mbox, link).

Message #46 received at 863584-close@bugs.debian.org (full text, mbox, reply):

Source: zabbix
Source-Version: 1:3.0.7+dfsg-3

We believe that the bug you reported is fixed in the latest version of
zabbix, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 863584@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dmitry Smirnov <onlyjob@debian.org> (supplier of updated zabbix package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 04 Jun 2017 17:14:06 +1000
Source: zabbix
Binary: zabbix-agent zabbix-frontend-php zabbix-java-gateway zabbix-proxy-mysql zabbix-proxy-pgsql zabbix-proxy-sqlite3 zabbix-server-mysql zabbix-server-pgsql
Architecture: source amd64 all
Version: 1:3.0.7+dfsg-3
Distribution: unstable
Urgency: high
Maintainer: Dmitry Smirnov <onlyjob@debian.org>
Changed-By: Dmitry Smirnov <onlyjob@debian.org>
Description:
 zabbix-agent - network monitoring solution - agent
 zabbix-frontend-php - network monitoring solution - PHP front-end
 zabbix-java-gateway - network monitoring solution - Java gateway
 zabbix-proxy-mysql - network monitoring solution - proxy (using MySQL)
 zabbix-proxy-pgsql - network monitoring solution - proxy (using PostgreSQL)
 zabbix-proxy-sqlite3 - network monitoring solution - proxy (using SQLite3)
 zabbix-server-mysql - network monitoring solution - server (using MySQL)
 zabbix-server-pgsql - network monitoring solution - server (using PostgreSQL)
Closes: 863584
Changes:
 zabbix (1:3.0.7+dfsg-3) unstable; urgency=high
 .
   * CVE-2017-2824, CVE-2017-2825: new upstream patches
     "ZBX-12075_r67082.patch", "ZBX-12075_r67270.patch" (Closes: #863584).
Checksums-Sha1:
 78e2b8d492cc9677c87000d4f2dd0ac7a432468d 2867 zabbix_3.0.7+dfsg-3.dsc
 f80bdffaa08e3965fece10d98de1d279844353a7 191616 zabbix_3.0.7+dfsg-3.debian.tar.xz
 4f49bb699f99afc5f27e57c7230d500dacae6fcc 536758 zabbix-agent-dbgsym_3.0.7+dfsg-3_amd64.deb
 b3497fdbb31e57f3fc75cd1393132da34b78a8bc 399120 zabbix-agent_3.0.7+dfsg-3_amd64.deb
 8e6964090fac871105ff1d45a9bb67cb2dbd2980 2018804 zabbix-frontend-php_3.0.7+dfsg-3_all.deb
 d4ae05af144c3bcd41f0785c4a97479f506e7c76 242242 zabbix-java-gateway_3.0.7+dfsg-3_all.deb
 e74748b352cccaa72cf6b573d3b29991dbce0b52 1176636 zabbix-proxy-mysql-dbgsym_3.0.7+dfsg-3_amd64.deb
 084968c8586cdfcb218ee0a00971a0eaf85c2898 687510 zabbix-proxy-mysql_3.0.7+dfsg-3_amd64.deb
 3b207b98b618ca5b4fc4f2491c91bfac5a688ce0 1178570 zabbix-proxy-pgsql-dbgsym_3.0.7+dfsg-3_amd64.deb
 1371afcd6ea3bd2a0cf81fc689563feb40f12315 687324 zabbix-proxy-pgsql_3.0.7+dfsg-3_amd64.deb
 b33612af053160d3af8a0788c1c33e07cdac57f3 1142036 zabbix-proxy-sqlite3-dbgsym_3.0.7+dfsg-3_amd64.deb
 76e42b988d52cb452d660f07303d0ec31242334a 672396 zabbix-proxy-sqlite3_3.0.7+dfsg-3_amd64.deb
 69e3c6e4d2e7f20a72808a1841bd170938a783c5 1269202 zabbix-server-mysql-dbgsym_3.0.7+dfsg-3_amd64.deb
 d8c1e8f2eb3055c64e3f2ef96ce5a842e851ce5f 1866158 zabbix-server-mysql_3.0.7+dfsg-3_amd64.deb
 504baedf41dbc1d1a4313db84a273063e0fa139f 1265374 zabbix-server-pgsql-dbgsym_3.0.7+dfsg-3_amd64.deb
 ea86bbdf494826ea221d86ebf7a1faa732f81163 1866234 zabbix-server-pgsql_3.0.7+dfsg-3_amd64.deb
 e3bcaf762e1bca879b47a45e9efda38ca256af11 17130 zabbix_3.0.7+dfsg-3_amd64.buildinfo
Checksums-Sha256:
 e482dc86c127ea9e7c9dd783bb39034dd413c420c3751e263033cf1b1bf43f8d 2867 zabbix_3.0.7+dfsg-3.dsc
 380cc9f629d6190bf7b11d96833cb24eb0f1c90f272316b1a814f2cea08ed9ef 191616 zabbix_3.0.7+dfsg-3.debian.tar.xz
 3272dc1a10212fa9f441a8ea30019a9c6a9ce5c5ccc878d99758135de7df3da9 536758 zabbix-agent-dbgsym_3.0.7+dfsg-3_amd64.deb
 ea8e4454416cb84c8b6fee032b1ee2bce710a63fc55a8b1626f278bd9155fc29 399120 zabbix-agent_3.0.7+dfsg-3_amd64.deb
 1de489826105daa43d870a4813266ca9e22cc2df88636a8ce2818ed5eacd1cc1 2018804 zabbix-frontend-php_3.0.7+dfsg-3_all.deb
 ec55a0341bdedb8a0ecf67d580fb4720f6f21fead5475da02bfdd57c45934cfb 242242 zabbix-java-gateway_3.0.7+dfsg-3_all.deb
 d56627fe8d8484f960ccde8e2a9aeef0daa8458a3d50a397ad4776857d8503b3 1176636 zabbix-proxy-mysql-dbgsym_3.0.7+dfsg-3_amd64.deb
 99d0f928af737621c0b6d920e419b30f34e57699b40fd17591f3afd6611ff3fa 687510 zabbix-proxy-mysql_3.0.7+dfsg-3_amd64.deb
 0fc70a89dfc0f4ee5cf85f114306f8c2018ff700e46418502df2cd67ddf9de55 1178570 zabbix-proxy-pgsql-dbgsym_3.0.7+dfsg-3_amd64.deb
 b569dc7f10121850f284947eeaf47eaeee31cee098e1ee3ab16e1fcf6162702b 687324 zabbix-proxy-pgsql_3.0.7+dfsg-3_amd64.deb
 4de8943542c6f2e1ae0b37837c6de0e7ce977a2d3a3c2207525209c47f757ece 1142036 zabbix-proxy-sqlite3-dbgsym_3.0.7+dfsg-3_amd64.deb
 b5dcbbaa26d081107ef6e009fe26bb82802a7c26683b6d849bcc0212b4db783a 672396 zabbix-proxy-sqlite3_3.0.7+dfsg-3_amd64.deb
 b3ee6ee16e336a02a83a18892d190640794a5af1b6ff59e0db98b53ba937c5d4 1269202 zabbix-server-mysql-dbgsym_3.0.7+dfsg-3_amd64.deb
 da3b2483d4f532cc0569fb2baf957840ee039de48616808e01f412adc3d6507e 1866158 zabbix-server-mysql_3.0.7+dfsg-3_amd64.deb
 b9cccf0b9160f8a65d9b9a6b3417c67a24bcaadce27cf0343fe448c79906904e 1265374 zabbix-server-pgsql-dbgsym_3.0.7+dfsg-3_amd64.deb
 ca80d7c18c07638eafd168b65867167aac1e08fb29537de7953e8889910b875a 1866234 zabbix-server-pgsql_3.0.7+dfsg-3_amd64.deb
 090f79bfd364d797cacfa09cd94d3cdb9d467da8c9c41ce9f34085eff404bcbd 17130 zabbix_3.0.7+dfsg-3_amd64.buildinfo
Files:
 b5927009ca46275318c8a0c1c3bef828 2867 net optional zabbix_3.0.7+dfsg-3.dsc
 68ab57fbfa293d584414036875e360eb 191616 net optional zabbix_3.0.7+dfsg-3.debian.tar.xz
 d64ec75d5b87cf686f1099055459516c 536758 debug extra zabbix-agent-dbgsym_3.0.7+dfsg-3_amd64.deb
 32dc840ec10155bb5a370ac4f25828bf 399120 net optional zabbix-agent_3.0.7+dfsg-3_amd64.deb
 833bbfdec2bdeb06a75b48a8b7435f52 2018804 net optional zabbix-frontend-php_3.0.7+dfsg-3_all.deb
 274dcbdbc646321e25cc96b485393760 242242 net optional zabbix-java-gateway_3.0.7+dfsg-3_all.deb
 6adab51b92522cc87004884a6a154eed 1176636 debug extra zabbix-proxy-mysql-dbgsym_3.0.7+dfsg-3_amd64.deb
 7f7bbc8564995085b336f8ea07c25245 687510 net optional zabbix-proxy-mysql_3.0.7+dfsg-3_amd64.deb
 23562893d1bfd43d1a9347a5014bfc0e 1178570 debug extra zabbix-proxy-pgsql-dbgsym_3.0.7+dfsg-3_amd64.deb
 de404ce8e83e463a217bc95aa5e8d3d1 687324 net optional zabbix-proxy-pgsql_3.0.7+dfsg-3_amd64.deb
 ed0bc72cfe20cf881e42b2dbbc8d05cc 1142036 debug extra zabbix-proxy-sqlite3-dbgsym_3.0.7+dfsg-3_amd64.deb
 42df7a2cf9f4d6355d8e45d79a3f871f 672396 net optional zabbix-proxy-sqlite3_3.0.7+dfsg-3_amd64.deb
 4dcd466d15651b22ce0e14ed3fe6bc6b 1269202 debug extra zabbix-server-mysql-dbgsym_3.0.7+dfsg-3_amd64.deb
 57b77d016e26b199ce713d21dae50658 1866158 net optional zabbix-server-mysql_3.0.7+dfsg-3_amd64.deb
 60590407b3021ee765d032fb6dd34bbd 1265374 debug extra zabbix-server-pgsql-dbgsym_3.0.7+dfsg-3_amd64.deb
 582eace51b76697c837cecba800b3446 1866234 net optional zabbix-server-pgsql_3.0.7+dfsg-3_amd64.deb
 dbb3b1aeeafcfb06ee2c87c9c5ff5c31 17130 net optional zabbix_3.0.7+dfsg-3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEULx8+TnSDCcqawZWUra72VOWjRsFAlkzt3EACgkQUra72VOW
jRsB9BAAjSuoumFxZP6hyvMcguM+raUEVqJS1a1WkQO3eyqjhGrIKN18m2txPA5M
ohLjsQnxMi1vv1tEi9VHb2vXDiXl2JvZj27iiGPmEEhPGHtPOJ/ylXoK3tH4uoZR
/TZN+wVbQxahY+FY+9JK8wrrJuAe51G4AoEmPlnhwWJZ4ukLpqMJlgWbQppzKRBX
4MFNHdxuIYgS9NCvUBOAZPtGutv8SAZeri03N7uKqP95ea6clt0SeIF7IL+NCNaB
9d7IZr52fH1iAGsmcCdIZ+Eb/LEVFXtNEB66s6hjtfaGcBv/C13Jmb2i7tigaHxn
DKPvH9L4myR2+TxYcktcWghvQ+nmoyTuOHhXgW5AKonMtTuqi0nyR/XZS3QePlDY
Az/NH6rwD/eEEicBG79oVjKbPdGb+tQE6OEKNT0TGPahlLV4/APppah/+JndOccS
MxZncPNB2UdhZ0dDUgxB04QZ4VN7cN/QV69W/JhDCElMcrACxo3Zp/Nr+0QAMkpT
o/vKqYSK1Tlq+nM2+FohsW1gUy8sOZE6eTe0jsKFaXwsSF8pVNrqIKJEFiEVe6fA
0K36ZskrXidjL4PmLLcNcrA+p5ugLtIg2DT/Em59pt4YPZx2Vf4LlmHh9zBsyccv
AYt+HVlubb4vUwHzYDGPT+gcknyEeo4k1KY7vqMSDfpw6biLIwM=
=543P
-----END PGP SIGNATURE-----

Removed tag(s) stretch-ignore. Request was from Niels Thykier <niels@thykier.net> to control@bugs.debian.org. (Sun, 04 Jun 2017 17:39:03 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Dmitry Smirnov <onlyjob@debian.org>:
Bug#863584; Package src:zabbix. (Fri, 09 Jun 2017 19:30:06 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Dmitry Smirnov <onlyjob@debian.org>. (Fri, 09 Jun 2017 19:30:06 GMT) (full text, mbox, link).

Message #53 received at 863584@bugs.debian.org (full text, mbox, reply):

On Fri, Jun 02, 2017 at 07:22:20AM +1000, Dmitry Smirnov wrote:
> On Wednesday, 31 May 2017 10:57:01 PM AEST Moritz Mühlenhoff wrote:
> > Dmitry, can you please upload a fix in time for the stretch release?
> 
> I'm planning to work on it this weekend... I'll let you know how it goes.

Please also prepare an update for jessie-security.

Cheers,
        Moritz

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 16 Jul 2017 07:53:12 GMT) (full text, mbox, link).

Bug unarchived. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 10 Aug 2017 05:39:03 GMT) (full text, mbox, link).

Marked as fixed in versions zabbix/1:2.2.7+dfsg-2+deb8u3. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 10 Aug 2017 05:39:03 GMT) (full text, mbox, link).

Marked as found in versions zabbix/1:2.2.7+dfsg-2. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 10 Aug 2017 05:45:03 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 07 Sep 2017 07:29:15 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:38:15 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

zabbix: CVE-2017-2824 CVE-2017-2825

Debian Bug report logs - #863584
zabbix: CVE-2017-2824 CVE-2017-2825

Vulmon Search

About

Products

Connect

zabbix: CVE-2017-2824 CVE-2017-2825

Debian Bug report logs - #863584 zabbix: CVE-2017-2824 CVE-2017-2825

Vulmon Search

About

Products

Connect

Debian Bug report logs - #863584
zabbix: CVE-2017-2824 CVE-2017-2825