Your message dated Tue, 02 Jun 2009 05:17:05 +0000
with message-id <e1mbmmz-0005o4...@ries.debian.org>
and subject line Bug#497640: fixed in zoneminder 1.24.1-1
has caused the Debian Bug report #497640,
regarding zoneminder: Several security issues (XSS, SQL injection, Command
injection)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
497640: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=497640
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: zoneminder
Severity: grave
Tags: security
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for zoneminder.
CVE-2008-3882[0]:
| ZoneMinder 1.23.3 and earlier allows remote attackers to execute
| arbitrary commands (aka "Command Injection") via (1) the executeFilter
| function in zm_html_view_events.php and (2) the run_state parameter to
| zm_html_view_state.php.
CVE-2008-3881[1]:
| Multiple cross-site scripting (XSS) vulnerabilities in ZoneMinder
| 1.23.3 and earlier allow remote attackers to inject arbitrary web
| script or HTML via unspecified parameters to unspecified
| "zm_html_view_*.php" files.
CVE-2008-3880[2]:
| SQL injection vulnerability in zm_html_view_event.php in ZoneMinder
| 1.23.3 and earlier allows remote attackers to execute arbitrary SQL
| commands via the filter array parameter.
Another security report including all the vulnerabilities can be found here[3].
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3882
http://security-tracker.debian.net/tracker/CVE-2008-3882
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3881
http://security-tracker.debian.net/tracker/CVE-2008-3881
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3880
http://security-tracker.debian.net/tracker/CVE-2008-3880
[3] http://www.securityfocus.com/archive/1/archive/1/495745/100/0/threaded
Cheers
Steffen
--- End Message ---
--- Begin Message ---
Source: zoneminder
Source-Version: 1.24.1-1
We believe that the bug you reported is fixed in the latest version of
zoneminder, which is due to be installed in the Debian FTP archive:
zoneminder_1.24.1-1.diff.gz
to pool/main/z/zoneminder/zoneminder_1.24.1-1.diff.gz
zoneminder_1.24.1-1.dsc
to pool/main/z/zoneminder/zoneminder_1.24.1-1.dsc
zoneminder_1.24.1-1_i386.deb
to pool/main/z/zoneminder/zoneminder_1.24.1-1_i386.deb
zoneminder_1.24.1.orig.tar.gz
to pool/main/z/zoneminder/zoneminder_1.24.1.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 497...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Peter Howard <p...@northern-ridge.com.au> (supplier of updated zoneminder
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 16 May 2009 07:02:50 +1000
Source: zoneminder
Binary: zoneminder
Architecture: source i386
Version: 1.24.1-1
Distribution: unstable
Urgency: high
Maintainer: Peter Howard <p...@northern-ridge.com.au>
Changed-By: Peter Howard <p...@northern-ridge.com.au>
Description:
zoneminder - Linux video camera security and surveillance solution
Closes: 486064 497640 526918 528252
Changes:
zoneminder (1.24.1-1) unstable; urgency=high
.
* Initial release of zoneminder 1.24.1, closing CVE-2008-3882,
CVE-2008-3881, CVE-2008-3880
(closes: #497640)
* Change syslog dependency to rsyslog.
(closes: #526918)
* Add missing perl depenency.
* Restore patch to disable "check for updates" by default.
* Removed spurious '$' in init script.
(closes: #486064)
* Change permission of zm.conf from 0600 to 0400 for CVE-2008-6755
(closes: #528252)
Checksums-Sha1:
cf1110cd5560c692a3b6651de4558a55d72cf690 1358 zoneminder_1.24.1-1.dsc
dbfc665434913564993403711e9dd3a85a72158c 894667 zoneminder_1.24.1.orig.tar.gz
e33036cb76d819e77209055e8f79c1861cd8ced8 34335 zoneminder_1.24.1-1.diff.gz
b3cf4c223d9bceb497640a9f1545feca21eb6846 1409582 zoneminder_1.24.1-1_i386.deb
Checksums-Sha256:
1d4578fdeb98b6edc18a9734799f33810d5c2aa980d73ac0da6a5b5193959486 1358
zoneminder_1.24.1-1.dsc
53a1514413cb401e0945fad009483e560a9a4d2e0ba40350988ca87fbb860ab2 894667
zoneminder_1.24.1.orig.tar.gz
b5ae1df341ae295d1c64eed348498bb86fbc2be1d1d3268541508c98ed40f70e 34335
zoneminder_1.24.1-1.diff.gz
577f7d113cd3abed23af98ed4aa8524b35c6589f2b967cbb4213374a3369e47e 1409582
zoneminder_1.24.1-1_i386.deb
Files:
cab6c87427894ae5a8cf13f07e7c7d09 1358 net optional zoneminder_1.24.1-1.dsc
1e4ce392d645cbb28037ecebc5a56584 894667 net optional
zoneminder_1.24.1.orig.tar.gz
b16b05e0148974f30224c41f85817073 34335 net optional zoneminder_1.24.1-1.diff.gz
413f13e249d32e110aed83ab2e41c83e 1409582 net optional
zoneminder_1.24.1-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkoksi4ACgkQCfB0CMh//C+UnQCeIhFae6h8jdDy6v2LWz8SSjkB
88MAoKAhjaN3XLY3ROhbEmJmmgTR7/0H
=23sC
-----END PGP SIGNATURE-----
--- End Message ---
