buster

Tobias Frost (@tobi) Wed, 09 Aug 2023 09:43:00 -0700


Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
4b21c5fb by Tobias Frost at 2023-08-09T18:42:38+02:00
Triaging zabbix with focus LTS/buster

CVE-2023-29458: duktape library only introduced in 5.0.0alpha1
CVE-2023-29452: geomap widget only introduced in 6.0.0alpha6

add links to patch for: CVE-2023-29451 CVE-2013-7484 CVE-2019-17382

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -16321,8 +16321,10 @@ CVE-2023-29459 (The laola.redbull application through 
5.1.9-R for Android expose
        NOT-FOR-US: laola.redbull
 CVE-2023-29458 (Duktape is an 3rd-party embeddable JavaScript engine, with a 
focus on  ...)
        - zabbix <unfixed>
+       [buster] - zabbix <not-affected> (vulnerable code introduced later)
        NOTE: This appears to be bug in Zabbix's use of duktape, not an issue 
in src:duktape per se
        NOTE: https://support.zabbix.com/browse/ZBX-22989
+       NOTE: duktape library introduced with 
https://github.com/zabbix/zabbix/commit/d43b04665c1ade5b4a9f49db750b8ca6c82e9de2
 (5.0.0alpha1)
 CVE-2023-29457 (Reflected XSS attacks, occur when a malicious script is 
reflected off  ...)
        - zabbix <unfixed>
        NOTE: https://support.zabbix.com/browse/ZBX-22988
@@ -16339,8 +16341,11 @@ CVE-2023-29453
        RESERVED
 CVE-2023-29452 (Currently, geomap configuration (Administration -> General -> 
Geograph ...)
        - zabbix <unfixed>
-       [bullseye] - zabbix <not-affected> (5.x not affected)
+       [bullseye] - zabbix <not-affected> (vulnerable code introduced later)
+       [buster] - zabbix <not-affected> (vulnerable code introduced later)
        NOTE: https://support.zabbix.com/browse/ZBX-22981
+       NOTE: Patches links: https://support.zabbix.com/browse/ZBX-22720
+       NOTE: vulnerable geopmap widget introduced in version 6.0.0alpha6 with 
https://github.com/zabbix/zabbix/commit/7e6a91149533b17b12c0317968b485e0c98d4ac2
 CVE-2023-29451 (Specially crafted string can cause a buffer overrun in the 
JSON parser ...)
        - zabbix <unfixed>
        [bullseye] - zabbix <not-affected> (5.x not affected)
@@ -56908,6 +56913,8 @@ CVE-2022-43515 (Zabbix Frontend provides a feature that 
allows admins to maintai
        [bullseye] - zabbix <ignored> (Minor issue)
        [buster] - zabbix <ignored> (Minor issue)
        NOTE: https://support.zabbix.com/browse/ZBX-22050
+       NOTE: Patches: for 4.0.45rc1 
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/aa58889ba54b2350e211a5f315baabbaf7228045
+       NOTE: for 5.0.30rc1 
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/50668e9d64af32cdc67a45082c556699ff86565e
 CVE-2022-43514 (A vulnerability has been identified in Automation License 
Manager V5 ( ...)
        NOT-FOR-US: Automation License Manager
 CVE-2022-43513 (A vulnerability has been identified in Automation License 
Manager V5 ( ...)
@@ -270306,6 +270313,7 @@ CVE-2013-7484 (Zabbix before 5.0 represents passwords 
in the users table with un
        NOTE: https://support.zabbix.com/browse/ZBX-16551
        NOTE: https://support.zabbix.com/browse/ZBXNEXT-1898
        NOTE: 
https://www.zabbix.com/documentation/5.0/manual/introduction/whatsnew500#stronger_cryptography_for_passwords
+       NOTE: patch for 5.0.0: 
https://github.com/zabbix/zabbix/commit/3c4b81c66da
 CVE-2020-1784
        RESERVED
 CVE-2020-1783
@@ -279482,6 +279490,8 @@ CVE-2019-17382 (An issue was discovered in 
zabbix.php?action=dashboard.view&dash
        NOTE: Disputed by upstream, closed as not a security bug.
        NOTE: Guest account is disabled by default starting in 4.0.15rc1, 
4.4.2rc1 and
        NOTE: 5.0.0alpha1 (Cf. https://support.zabbix.com/browse/ZBXNEXT-5532)
+       NOTE: Patch to disable default user by default, for 5.0.0alpha1: 
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/9fd6f1c35
+       NOTE: and for 4.0.15rc: 
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/cd3921882
 CVE-2019-17381
        RESERVED
 CVE-2019-17380 (cPanel before 82.0.15 allows self XSS in the WHM Update 
Preferences in ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b21c5fbfaebdf2d20fc5eb1d3de973f86bcdf5e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b21c5fbfaebdf2d20fc5eb1d3de973f86bcdf5e
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Triaging zabbix with focus LTS/buster

Reply via email to