Your message dated Sun, 4 Jun 2017 16:01:29 +0100
with message-id <20170604150129.jxkv65qx6bmy3...@powdarrmonkey.net>
and subject line Re: Bug#864084: unblock: zabbix/1:3.0.7+dfsg-3
has caused the Debian Bug report #864084,
regarding unblock: zabbix/1:3.0.7+dfsg-3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
864084: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864084
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Affects: -1 zabbix
X-Debbugs-CC: j...@debian.org
Please unblock zabbix/1:3.0.7+dfsg-3
I would like to accommodate two attached diffs to Stretch please.
One fixes defunctional UI (broken by incompatible libjs-jquery) and
another fixes two security vulnerabilities as per #863584.
Thanks.
--
All the best,
Dmitry Smirnov.
signature.asc
Description: This is a digitally signed message part.
diff --git a/debian/changelog b/debian/changelog
index d570c6d..755bc59 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+zabbix (1:3.0.7+dfsg-2) unstable; urgency=medium
+
+ * Frontend-PHP: switch to private jQuery (Closes: #857287).
+
+ -- Dmitry Smirnov <only...@debian.org> Sun, 21 May 2017 13:56:56 +1000
+
zabbix (1:3.0.7+dfsg-1) unstable; urgency=medium
* New upstream release [December 2016].
diff --git a/debian/control b/debian/control
index d989f84..c0f275f 100644
--- a/debian/control
+++ b/debian/control
@@ -21,7 +21,7 @@ Build-Depends: debhelper (>= 9), automake, dh-autoreconf, dh-systemd (>= 1.5), d
## dh-linktree:
,libjs-prototype
,libjs-jquery-ui (>= 1.10.1)
- ,libjs-jquery (>= 1.10.1)
+# ,libjs-jquery (>= 1.10.1)
## java-gateway deps:
,javahelper
Build-Depends-Indep: default-jdk
diff --git a/debian/zabbix-frontend-php.linktrees b/debian/zabbix-frontend-php.linktrees
index 7308d0c..9dc6cc8 100644
--- a/debian/zabbix-frontend-php.linktrees
+++ b/debian/zabbix-frontend-php.linktrees
@@ -4,5 +4,5 @@ replace /usr/share/javascript/prototype/prototype.js /usr/share/zabbix/js/vend
## libjs-jquery-ui (1.10.1 vs 1.10.3)
replace /usr/share/javascript/jquery-ui/jquery-ui.js /usr/share/zabbix/js/vendors/jquery-ui.js
-## libjs-jquery (1.11.3 vs 1.10.2)
-replace /usr/share/javascript/jquery/jquery.js /usr/share/zabbix/js/vendors/jquery.js
+## libjs-jquery (3.1.1 vs 1.10.2)
+#replace /usr/share/javascript/jquery/jquery.js /usr/share/zabbix/js/vendors/jquery.js
diff --git a/debian/changelog b/debian/changelog
index 755bc59..d1c4c64 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+zabbix (1:3.0.7+dfsg-3) unstable; urgency=high
+
+ * CVE-2017-2824, CVE-2017-2825: new upstream patches
+ "ZBX-12075_r67082.patch", "ZBX-12075_r67270.patch" (Closes: #863584).
+
+ -- Dmitry Smirnov <only...@debian.org> Sun, 04 Jun 2017 17:14:06 +1000
+
zabbix (1:3.0.7+dfsg-2) unstable; urgency=medium
* Frontend-PHP: switch to private jQuery (Closes: #857287).
diff --git a/debian/patches/ZBX-12075_r67082.patch b/debian/patches/ZBX-12075_r67082.patch
new file mode 100644
index 0000000..59bf622
--- /dev/null
+++ b/debian/patches/ZBX-12075_r67082.patch
@@ -0,0 +1,44 @@
+Bug-Upstream: https://support.zabbix.com/browse/ZBX-12075
+From 089f0d90b3d94c577263e8bdfe08ce3f33f9e178 Mon Sep 17 00:00:00 2001
+Origin: upstream
+Date: Wed, 5 Apr 2017 15:31:59 +0000
+Subject: [DEV-567] added validation of discovered host IP addresses
+
+--- a/src/libs/zbxcommon/misc.c
++++ b/src/libs/zbxcommon/misc.c
+@@ -1872,17 +1872,9 @@
+ * *
+ ******************************************************************************/
+ int is_ip(const char *ip)
+ {
+- zabbix_log(LOG_LEVEL_DEBUG, "In is_ip() ip:'%s'", ip);
+-
+- if (SUCCEED == is_ip4(ip))
+- return SUCCEED;
+-#if defined(HAVE_IPV6)
+- if (SUCCEED == is_ip6(ip))
+- return SUCCEED;
+-#endif
+- return FAIL;
++ return SUCCEED == is_ip4(ip) ? SUCCEED : is_ip6(ip);
+ }
+
+ /******************************************************************************
+ * *
+--- a/src/libs/zbxdbhigh/proxy.c
++++ b/src/libs/zbxdbhigh/proxy.c
+@@ -2561,8 +2561,14 @@
+
+ if (FAIL == zbx_json_value_by_name(&jp_row, ZBX_PROTO_TAG_IP, ip, sizeof(ip)))
+ goto json_parse_error;
+
++ if (SUCCEED != is_ip(ip))
++ {
++ zabbix_log(LOG_LEVEL_DEBUG, "\"%s\" is not a valid IP address", ip);
++ goto next;
++ }
++
+ if (SUCCEED == zbx_json_value_by_name(&jp_row, ZBX_PROTO_TAG_PORT, tmp, sizeof(tmp)))
+ port = atoi(tmp);
+
+ zbx_json_value_by_name(&jp_row, ZBX_PROTO_TAG_KEY, key_, sizeof(key_));
diff --git a/debian/patches/ZBX-12075_r67270.patch b/debian/patches/ZBX-12075_r67270.patch
new file mode 100644
index 0000000..10a403c
--- /dev/null
+++ b/debian/patches/ZBX-12075_r67270.patch
@@ -0,0 +1,93 @@
+Bug-Upstream: https://support.zabbix.com/browse/ZBX-12075
+From 17a159950db846a1c6365027c647b25a4bb02b94 Mon Sep 17 00:00:00 2001
+Origin: upstream
+Date: Wed, 12 Apr 2017 06:17:40 +0000
+Subject: [DEV-567] resurrected old IP check function to check SourceIP config file parameter taking into account IPv6 support enabled/disabled at compile time
+
+--- a/include/common.h
++++ b/include/common.h
+@@ -981,8 +981,9 @@
+ #ifdef HAVE_IPV6
+ int is_ip6(const char *ip);
+ #endif
+ int is_ip4(const char *ip);
++int is_supported_ip(const char *ip);
+ int is_ip(const char *ip);
+
+ void zbx_on_exit(void); /* calls exit() at the end! */
+
+--- a/src/libs/zbxcommon/misc.c
++++ b/src/libs/zbxcommon/misc.c
+@@ -1858,8 +1858,33 @@
+ #endif /*HAVE_IPV6*/
+
+ /******************************************************************************
+ * *
++ * Function: is_supported_ip *
++ * *
++ * Purpose: is string IP address of supported version *
++ * *
++ * Parameters: ip - string *
++ * *
++ * Return value: SUCCEED - is IP address *
++ * FAIL - otherwise *
++ * *
++ * Author: Alexander Vladishev *
++ * *
++ ******************************************************************************/
++int is_supported_ip(const char *ip)
++{
++ if (SUCCEED == is_ip4(ip))
++ return SUCCEED;
++#ifdef HAVE_IPV6
++ if (SUCCEED == is_ip6(ip))
++ return SUCCEED;
++#endif
++ return FAIL;
++}
++
++/******************************************************************************
++ * *
+ * Function: is_ip *
+ * *
+ * Purpose: is string IP address *
+ * *
+--- a/src/zabbix_agent/zabbix_agentd.c
++++ b/src/zabbix_agent/zabbix_agentd.c
+@@ -573,9 +573,9 @@
+ zabbix_log(LOG_LEVEL_CRIT, "either active or passive checks must be enabled");
+ err = 1;
+ }
+
+- if (NULL != CONFIG_SOURCE_IP && ('\0' == *CONFIG_SOURCE_IP || SUCCEED != is_ip(CONFIG_SOURCE_IP)))
++ if (NULL != CONFIG_SOURCE_IP && SUCCEED != is_supported_ip(CONFIG_SOURCE_IP))
+ {
+ zabbix_log(LOG_LEVEL_CRIT, "invalid \"SourceIP\" configuration parameter: '%s'", CONFIG_SOURCE_IP);
+ err = 1;
+ }
+--- a/src/zabbix_proxy/proxy.c
++++ b/src/zabbix_proxy/proxy.c
+@@ -472,9 +472,9 @@
+ " This parameter is mandatory for active proxies.");
+ err = 1;
+ }
+
+- if (NULL != CONFIG_SOURCE_IP && ('\0' == *CONFIG_SOURCE_IP || SUCCEED != is_ip(CONFIG_SOURCE_IP)))
++ if (NULL != CONFIG_SOURCE_IP && SUCCEED != is_supported_ip(CONFIG_SOURCE_IP))
+ {
+ zabbix_log(LOG_LEVEL_CRIT, "invalid \"SourceIP\" configuration parameter: '%s'", CONFIG_SOURCE_IP);
+ err = 1;
+ }
+--- a/src/zabbix_server/server.c
++++ b/src/zabbix_server/server.c
+@@ -437,9 +437,9 @@
+ " or greater than 128KB");
+ err = 1;
+ }
+
+- if (NULL != CONFIG_SOURCE_IP && ('\0' == *CONFIG_SOURCE_IP || SUCCEED != is_ip(CONFIG_SOURCE_IP)))
++ if (NULL != CONFIG_SOURCE_IP && SUCCEED != is_supported_ip(CONFIG_SOURCE_IP))
+ {
+ zabbix_log(LOG_LEVEL_CRIT, "invalid \"SourceIP\" configuration parameter: '%s'", CONFIG_SOURCE_IP);
+ err = 1;
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 72e0c30..2863da6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,5 @@
+ZBX-12075_r67082.patch
+ZBX-12075_r67270.patch
config_debianisation.patch
config_frontend-conffile-in-etc.patch
gettext.patch
--- End Message ---
--- Begin Message ---
On Sun, Jun 04, 2017 at 07:04:16PM +1000, Dmitry Smirnov wrote:
> I would like to accommodate two attached diffs to Stretch please.
> One fixes defunctional UI (broken by incompatible libjs-jquery) and
> another fixes two security vulnerabilities as per #863584.
>
Unblocked, thanks.
--
Jonathan Wiltshire j...@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
--- End Message ---
