Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker
Commits: 4b21c5fb by Tobias Frost at 2023-08-09T18:42:38+02:00 Triaging zabbix with focus LTS/buster CVE-2023-29458: duktape library only introduced in 5.0.0alpha1 CVE-2023-29452: geomap widget only introduced in 6.0.0alpha6 add links to patch for: CVE-2023-29451 CVE-2013-7484 CVE-2019-17382 - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -16321,8 +16321,10 @@ CVE-2023-29459 (The laola.redbull application through 5.1.9-R for Android expose NOT-FOR-US: laola.redbull CVE-2023-29458 (Duktape is an 3rd-party embeddable JavaScript engine, with a focus on ...) - zabbix <unfixed> + [buster] - zabbix <not-affected> (vulnerable code introduced later) NOTE: This appears to be bug in Zabbix's use of duktape, not an issue in src:duktape per se NOTE: https://support.zabbix.com/browse/ZBX-22989 + NOTE: duktape library introduced with https://github.com/zabbix/zabbix/commit/d43b04665c1ade5b4a9f49db750b8ca6c82e9de2 (5.0.0alpha1) CVE-2023-29457 (Reflected XSS attacks, occur when a malicious script is reflected off ...) - zabbix <unfixed> NOTE: https://support.zabbix.com/browse/ZBX-22988 @@ -16339,8 +16341,11 @@ CVE-2023-29453 RESERVED CVE-2023-29452 (Currently, geomap configuration (Administration -> General -> Geograph ...) - zabbix <unfixed> - [bullseye] - zabbix <not-affected> (5.x not affected) + [bullseye] - zabbix <not-affected> (vulnerable code introduced later) + [buster] - zabbix <not-affected> (vulnerable code introduced later) NOTE: https://support.zabbix.com/browse/ZBX-22981 + NOTE: Patches links: https://support.zabbix.com/browse/ZBX-22720 + NOTE: vulnerable geopmap widget introduced in version 6.0.0alpha6 with https://github.com/zabbix/zabbix/commit/7e6a91149533b17b12c0317968b485e0c98d4ac2 CVE-2023-29451 (Specially crafted string can cause a buffer overrun in the JSON parser ...) - zabbix <unfixed> [bullseye] - zabbix <not-affected> (5.x not affected) @@ -56908,6 +56913,8 @@ CVE-2022-43515 (Zabbix Frontend provides a feature that allows admins to maintai [bullseye] - zabbix <ignored> (Minor issue) [buster] - zabbix <ignored> (Minor issue) NOTE: https://support.zabbix.com/browse/ZBX-22050 + NOTE: Patches: for 4.0.45rc1 https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/aa58889ba54b2350e211a5f315baabbaf7228045 + NOTE: for 5.0.30rc1 https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/50668e9d64af32cdc67a45082c556699ff86565e CVE-2022-43514 (A vulnerability has been identified in Automation License Manager V5 ( ...) NOT-FOR-US: Automation License Manager CVE-2022-43513 (A vulnerability has been identified in Automation License Manager V5 ( ...) @@ -270306,6 +270313,7 @@ CVE-2013-7484 (Zabbix before 5.0 represents passwords in the users table with un NOTE: https://support.zabbix.com/browse/ZBX-16551 NOTE: https://support.zabbix.com/browse/ZBXNEXT-1898 NOTE: https://www.zabbix.com/documentation/5.0/manual/introduction/whatsnew500#stronger_cryptography_for_passwords + NOTE: patch for 5.0.0: https://github.com/zabbix/zabbix/commit/3c4b81c66da CVE-2020-1784 RESERVED CVE-2020-1783 @@ -279482,6 +279490,8 @@ CVE-2019-17382 (An issue was discovered in zabbix.php?action=dashboard.view&dash NOTE: Disputed by upstream, closed as not a security bug. NOTE: Guest account is disabled by default starting in 4.0.15rc1, 4.4.2rc1 and NOTE: 5.0.0alpha1 (Cf. https://support.zabbix.com/browse/ZBXNEXT-5532) + NOTE: Patch to disable default user by default, for 5.0.0alpha1: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/9fd6f1c35 + NOTE: and for 4.0.15rc: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/cd3921882 CVE-2019-17381 RESERVED CVE-2019-17380 (cPanel before 82.0.15 allows self XSS in the WHM Update Preferences in ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b21c5fbfaebdf2d20fc5eb1d3de973f86bcdf5e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b21c5fbfaebdf2d20fc5eb1d3de973f86bcdf5e You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits