On Tue, 2013-10-08 at 12:13 +1000, Dmitry Smirnov wrote: > I'd like to deliver several security fixes to Zabbix in Squeeze. > > (Security team advised to proceed through OPU "since the oldstable > point update happens very soon anyway and we have many other open > issues with higher priority").
"Yay". > Below is a new changelog section, full diff is attached. For the record, that all comes to "8 files changed, 6906 insertions(+), 5 deletions(-)", which is considerably more than I was expecting, given how close we are to the update window closing. A lot of it appears to be a (possibly over-cautious) belt and braces approach to > * CVE-2013-5743: fixed SQL injection vulnerability. escaping basically every use of a string anywhere near an SQL statement. I do hope that someone's actually checked that none of those additions of zbx_dbstr() introduces any bugs; I certainly don't know what any of the variables might contain in order to judge. :-( There's also > * CVE-2011-3263: prevent zabbix_agentd DoS attack with vfs.file.cksum. patches/ZBX-3794+ZBX-3830.patch | 540 +++ There's quite a lot of noise in that patch, of the general form ++ int ret = SYSINFO_RET_FAIL; [...] +- if (num_param(param) > 1) +- return SYSINFO_RET_FAIL; ++ if (1 < num_param(param)) ++ goto err; [...] +- return SYSINFO_RET_OK; ++ ret = SYSINFO_RET_OK; ++err: ++ return ret; afaics, the net affect of that change is nothing. I realise (having let git-svn chew through the branch) that the noise is in upstream's original patch, but it really doesn't make it easy to review. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
