Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker
Commits: 640cf95c by Tobias Frost at 2024-12-07T13:31:11+01:00 CVE-2024-36464/zabbix not fixed upstream in 6.0.30c1 (see https://support.zabbix.com/browse/ZBX-25630?focusedCommentId=1026630&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-1026630 upstream report) Quote: I've just installed 6.0.34 from your Debian repository, and I'm probably holding it wrong, but I *think* I still can reproduce this on 6.0.36 root@isildor2:/etc# dpkg -l 'zabbix*' | grep ^ii ii zabbix-agent 1:6.0.36-1+debian12 amd64 Zabbix network monitoring solution - agent ii zabbix-apache-conf 1:6.0.36-1+debian12 all Zabbix network monitoring solution - apache configuration for front-end ii zabbix-frontend-php 1:6.0.36-1+debian12 all Zabbix network monitoring solution - PHP front-end ii zabbix-release 1:6.0-5+debian12 all Zabbix official repository configuration ii zabbix-server-mysql 1:6.0.36-1+debian12 amd64 Zabbix network monitoring solution - server (MySQL) ii zabbix-sql-scripts 1:6.0.36-1+debian12 all Zabbix network monitoring solution - sql-scripts Reproducer: Login as Admin Create a Media Type Type "Email" Set Authentication to "Username and Password" Enter Username (I've used "test-user") Enter Password (I've used "test-password") Save Select created entry Export it Yields to: zabbix_export: version: '6.0' date: '2024-12-07T12:21:30Z' media_types: - name: test-with-password type: EMAIL smtp_server: mail.example.com smtp_helo: example.com smtp_email: [email protected] smtp_authentication: PASSWORD username: test-user password: test-password status: DISABLED - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -2121,6 +2121,8 @@ CVE-2024-36468 (The reported vulnerability is a stack buffer overflow in the zbx CVE-2024-36464 (When exporting media types, the password is exported in the YAML in pl ...) - zabbix <unfixed> (bug #1088689) NOTE: https://support.zabbix.com/browse/ZBX-25630 + NOTE: Despite upstream claiming fixed in 6.0.30rc1, can reproduce with 6.0.36 (package from upstream) + NOTE: Can also reproduce it in 5.0.45 and 7.0.6+dfsg-1. CVE-2024-31976 (EnGenius EWS356-FIR 1.1.30 and earlier devices allow a remote attacker ...) NOT-FOR-US: EnGenius EWS356-FIR CVE-2024-21703 (This Medium severity Security Misconfiguration vulnerability was intro ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/640cf95c02dc6525dfb27118109529ab7bccce39 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/640cf95c02dc6525dfb27118109529ab7bccce39 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
