Your message dated Sun, 4 Jun 2017 16:01:29 +0100 with message-id <20170604150129.jxkv65qx6bmy3...@powdarrmonkey.net> and subject line Re: Bug#864084: unblock: zabbix/1:3.0.7+dfsg-3 has caused the Debian Bug report #864084, regarding unblock: zabbix/1:3.0.7+dfsg-3 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 864084: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864084 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock Affects: -1 zabbix X-Debbugs-CC: j...@debian.org Please unblock zabbix/1:3.0.7+dfsg-3 I would like to accommodate two attached diffs to Stretch please. One fixes defunctional UI (broken by incompatible libjs-jquery) and another fixes two security vulnerabilities as per #863584. Thanks. -- All the best, Dmitry Smirnov.signature.asc
Description: This is a digitally signed message part.diff --git a/debian/changelog b/debian/changelog index d570c6d..755bc59 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +zabbix (1:3.0.7+dfsg-2) unstable; urgency=medium + + * Frontend-PHP: switch to private jQuery (Closes: #857287). + + -- Dmitry Smirnov <only...@debian.org> Sun, 21 May 2017 13:56:56 +1000 + zabbix (1:3.0.7+dfsg-1) unstable; urgency=medium * New upstream release [December 2016]. diff --git a/debian/control b/debian/control index d989f84..c0f275f 100644 --- a/debian/control +++ b/debian/control @@ -21,7 +21,7 @@ Build-Depends: debhelper (>= 9), automake, dh-autoreconf, dh-systemd (>= 1.5), d ## dh-linktree: ,libjs-prototype ,libjs-jquery-ui (>= 1.10.1) - ,libjs-jquery (>= 1.10.1) +# ,libjs-jquery (>= 1.10.1) ## java-gateway deps: ,javahelper Build-Depends-Indep: default-jdk diff --git a/debian/zabbix-frontend-php.linktrees b/debian/zabbix-frontend-php.linktrees index 7308d0c..9dc6cc8 100644 --- a/debian/zabbix-frontend-php.linktrees +++ b/debian/zabbix-frontend-php.linktrees @@ -4,5 +4,5 @@ replace /usr/share/javascript/prototype/prototype.js /usr/share/zabbix/js/vend ## libjs-jquery-ui (1.10.1 vs 1.10.3) replace /usr/share/javascript/jquery-ui/jquery-ui.js /usr/share/zabbix/js/vendors/jquery-ui.js -## libjs-jquery (1.11.3 vs 1.10.2) -replace /usr/share/javascript/jquery/jquery.js /usr/share/zabbix/js/vendors/jquery.js +## libjs-jquery (3.1.1 vs 1.10.2) +#replace /usr/share/javascript/jquery/jquery.js /usr/share/zabbix/js/vendors/jquery.jsdiff --git a/debian/changelog b/debian/changelog index 755bc59..d1c4c64 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +zabbix (1:3.0.7+dfsg-3) unstable; urgency=high + + * CVE-2017-2824, CVE-2017-2825: new upstream patches + "ZBX-12075_r67082.patch", "ZBX-12075_r67270.patch" (Closes: #863584). + + -- Dmitry Smirnov <only...@debian.org> Sun, 04 Jun 2017 17:14:06 +1000 + zabbix (1:3.0.7+dfsg-2) unstable; urgency=medium * Frontend-PHP: switch to private jQuery (Closes: #857287). diff --git a/debian/patches/ZBX-12075_r67082.patch b/debian/patches/ZBX-12075_r67082.patch new file mode 100644 index 0000000..59bf622 --- /dev/null +++ b/debian/patches/ZBX-12075_r67082.patch @@ -0,0 +1,44 @@ +Bug-Upstream: https://support.zabbix.com/browse/ZBX-12075 +From 089f0d90b3d94c577263e8bdfe08ce3f33f9e178 Mon Sep 17 00:00:00 2001 +Origin: upstream +Date: Wed, 5 Apr 2017 15:31:59 +0000 +Subject: [DEV-567] added validation of discovered host IP addresses + +--- a/src/libs/zbxcommon/misc.c ++++ b/src/libs/zbxcommon/misc.c +@@ -1872,17 +1872,9 @@ + * * + ******************************************************************************/ + int is_ip(const char *ip) + { +- zabbix_log(LOG_LEVEL_DEBUG, "In is_ip() ip:'%s'", ip); +- +- if (SUCCEED == is_ip4(ip)) +- return SUCCEED; +-#if defined(HAVE_IPV6) +- if (SUCCEED == is_ip6(ip)) +- return SUCCEED; +-#endif +- return FAIL; ++ return SUCCEED == is_ip4(ip) ? SUCCEED : is_ip6(ip); + } + + /****************************************************************************** + * * +--- a/src/libs/zbxdbhigh/proxy.c ++++ b/src/libs/zbxdbhigh/proxy.c +@@ -2561,8 +2561,14 @@ + + if (FAIL == zbx_json_value_by_name(&jp_row, ZBX_PROTO_TAG_IP, ip, sizeof(ip))) + goto json_parse_error; + ++ if (SUCCEED != is_ip(ip)) ++ { ++ zabbix_log(LOG_LEVEL_DEBUG, "\"%s\" is not a valid IP address", ip); ++ goto next; ++ } ++ + if (SUCCEED == zbx_json_value_by_name(&jp_row, ZBX_PROTO_TAG_PORT, tmp, sizeof(tmp))) + port = atoi(tmp); + + zbx_json_value_by_name(&jp_row, ZBX_PROTO_TAG_KEY, key_, sizeof(key_)); diff --git a/debian/patches/ZBX-12075_r67270.patch b/debian/patches/ZBX-12075_r67270.patch new file mode 100644 index 0000000..10a403c --- /dev/null +++ b/debian/patches/ZBX-12075_r67270.patch @@ -0,0 +1,93 @@ +Bug-Upstream: https://support.zabbix.com/browse/ZBX-12075 +From 17a159950db846a1c6365027c647b25a4bb02b94 Mon Sep 17 00:00:00 2001 +Origin: upstream +Date: Wed, 12 Apr 2017 06:17:40 +0000 +Subject: [DEV-567] resurrected old IP check function to check SourceIP config file parameter taking into account IPv6 support enabled/disabled at compile time + +--- a/include/common.h ++++ b/include/common.h +@@ -981,8 +981,9 @@ + #ifdef HAVE_IPV6 + int is_ip6(const char *ip); + #endif + int is_ip4(const char *ip); ++int is_supported_ip(const char *ip); + int is_ip(const char *ip); + + void zbx_on_exit(void); /* calls exit() at the end! */ + +--- a/src/libs/zbxcommon/misc.c ++++ b/src/libs/zbxcommon/misc.c +@@ -1858,8 +1858,33 @@ + #endif /*HAVE_IPV6*/ + + /****************************************************************************** + * * ++ * Function: is_supported_ip * ++ * * ++ * Purpose: is string IP address of supported version * ++ * * ++ * Parameters: ip - string * ++ * * ++ * Return value: SUCCEED - is IP address * ++ * FAIL - otherwise * ++ * * ++ * Author: Alexander Vladishev * ++ * * ++ ******************************************************************************/ ++int is_supported_ip(const char *ip) ++{ ++ if (SUCCEED == is_ip4(ip)) ++ return SUCCEED; ++#ifdef HAVE_IPV6 ++ if (SUCCEED == is_ip6(ip)) ++ return SUCCEED; ++#endif ++ return FAIL; ++} ++ ++/****************************************************************************** ++ * * + * Function: is_ip * + * * + * Purpose: is string IP address * + * * +--- a/src/zabbix_agent/zabbix_agentd.c ++++ b/src/zabbix_agent/zabbix_agentd.c +@@ -573,9 +573,9 @@ + zabbix_log(LOG_LEVEL_CRIT, "either active or passive checks must be enabled"); + err = 1; + } + +- if (NULL != CONFIG_SOURCE_IP && ('\0' == *CONFIG_SOURCE_IP || SUCCEED != is_ip(CONFIG_SOURCE_IP))) ++ if (NULL != CONFIG_SOURCE_IP && SUCCEED != is_supported_ip(CONFIG_SOURCE_IP)) + { + zabbix_log(LOG_LEVEL_CRIT, "invalid \"SourceIP\" configuration parameter: '%s'", CONFIG_SOURCE_IP); + err = 1; + } +--- a/src/zabbix_proxy/proxy.c ++++ b/src/zabbix_proxy/proxy.c +@@ -472,9 +472,9 @@ + " This parameter is mandatory for active proxies."); + err = 1; + } + +- if (NULL != CONFIG_SOURCE_IP && ('\0' == *CONFIG_SOURCE_IP || SUCCEED != is_ip(CONFIG_SOURCE_IP))) ++ if (NULL != CONFIG_SOURCE_IP && SUCCEED != is_supported_ip(CONFIG_SOURCE_IP)) + { + zabbix_log(LOG_LEVEL_CRIT, "invalid \"SourceIP\" configuration parameter: '%s'", CONFIG_SOURCE_IP); + err = 1; + } +--- a/src/zabbix_server/server.c ++++ b/src/zabbix_server/server.c +@@ -437,9 +437,9 @@ + " or greater than 128KB"); + err = 1; + } + +- if (NULL != CONFIG_SOURCE_IP && ('\0' == *CONFIG_SOURCE_IP || SUCCEED != is_ip(CONFIG_SOURCE_IP))) ++ if (NULL != CONFIG_SOURCE_IP && SUCCEED != is_supported_ip(CONFIG_SOURCE_IP)) + { + zabbix_log(LOG_LEVEL_CRIT, "invalid \"SourceIP\" configuration parameter: '%s'", CONFIG_SOURCE_IP); + err = 1; + } diff --git a/debian/patches/series b/debian/patches/series index 72e0c30..2863da6 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,5 @@ +ZBX-12075_r67082.patch +ZBX-12075_r67270.patch config_debianisation.patch config_frontend-conffile-in-etc.patch gettext.patch
--- End Message ---
--- Begin Message ---On Sun, Jun 04, 2017 at 07:04:16PM +1000, Dmitry Smirnov wrote: > I would like to accommodate two attached diffs to Stretch please. > One fixes defunctional UI (broken by incompatible libjs-jquery) and > another fixes two security vulnerabilities as per #863584. > Unblocked, thanks. -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
--- End Message ---