Bug#577058: marked as done (CVE-2010-1277: SQL injection vulnerability)

[Debian Bug Tracking System]

Your message dated Mon, 12 Apr 2010 19:49:38 +0000
with message-id <e1o1pda-00064s...@ries.debian.org>
and subject line Bug#577058: fixed in zabbix 1:1.8.2-1
has caused the Debian Bug report #577058,
regarding CVE-2010-1277: SQL injection vulnerability
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
577058: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577058
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: zabbix
Severity: grave
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for zabbix.

CVE-2010-1277[0]:
| SQL injection vulnerability in the user.authenticate method in the API
| in Zabbix 1.8 before 1.8.2 allows remote attackers to execute
| arbitrary SQL commands via the user parameter in JSON data to
| api_jsonrpc.php.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1277
    http://security-tracker.debian.org/tracker/CVE-2010-1277


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAku+8QYACgkQNxpp46476aohxgCeOJ/ft09ZEbsVRZQfZGKPOStl
dsIAni/gOpxw+gb/ZGH7pbP8ItreKgGH
=GH0v
-----END PGP SIGNATURE-----

--- End Message ---

--- Begin Message ---

Source: zabbix
Source-Version: 1:1.8.2-1

We believe that the bug you reported is fixed in the latest version of
zabbix, which is due to be installed in the Debian FTP archive:

zabbix-agent_1.8.2-1_amd64.deb
  to main/z/zabbix/zabbix-agent_1.8.2-1_amd64.deb
zabbix-frontend-php_1.8.2-1_all.deb
  to main/z/zabbix/zabbix-frontend-php_1.8.2-1_all.deb
zabbix-proxy-mysql_1.8.2-1_amd64.deb
  to main/z/zabbix/zabbix-proxy-mysql_1.8.2-1_amd64.deb
zabbix-proxy-pgsql_1.8.2-1_amd64.deb
  to main/z/zabbix/zabbix-proxy-pgsql_1.8.2-1_amd64.deb
zabbix-server-mysql_1.8.2-1_amd64.deb
  to main/z/zabbix/zabbix-server-mysql_1.8.2-1_amd64.deb
zabbix-server-pgsql_1.8.2-1_amd64.deb
  to main/z/zabbix/zabbix-server-pgsql_1.8.2-1_amd64.deb
zabbix_1.8.2-1.debian.tar.gz
  to main/z/zabbix/zabbix_1.8.2-1.debian.tar.gz
zabbix_1.8.2-1.dsc
  to main/z/zabbix/zabbix_1.8.2-1.dsc
zabbix_1.8.2.orig.tar.gz
  to main/z/zabbix/zabbix_1.8.2.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 577...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christoph Haas <h...@debian.org> (supplier of updated zabbix package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 10 Apr 2010 12:04:06 +0200
Source: zabbix
Binary: zabbix-agent zabbix-server-mysql zabbix-server-pgsql 
zabbix-frontend-php zabbix-proxy-pgsql zabbix-proxy-mysql
Architecture: source amd64 all
Version: 1:1.8.2-1
Distribution: unstable
Urgency: low
Maintainer: Christoph Haas <h...@debian.org>
Changed-By: Christoph Haas <h...@debian.org>
Description: 
 zabbix-agent - network monitoring solution - agent
 zabbix-frontend-php - network monitoring solution - PHP front-end
 zabbix-proxy-mysql - network monitoring solution - proxy (using MySQL)
 zabbix-proxy-pgsql - network monitoring solution - proxy (using PostgreSQL)
 zabbix-server-mysql - network monitoring solution - server (using MySQL)
 zabbix-server-pgsql - network monitoring solution - server (using PostgreSQL)
Closes: 577058
Changes: 
 zabbix (1:1.8.2-1) unstable; urgency=low
 .
   * New upstream release
   * Policy version is now 3.8.4 - no changes were needed.
   * SQL injection bug fixed in 1.8.2 (closes: #577058)
   * init.d scripts now depend on "remote_fs" instead of "local_fs"
     as /usr may be a remote file system (fixes lintian warning).
Checksums-Sha1: 
 54d364e8395738837661acd3dc946a3450fbab5c 1501 zabbix_1.8.2-1.dsc
 59573efdffe481f1e0d020f4e75b670daa837ded 3706540 zabbix_1.8.2.orig.tar.gz
 7967c4427672f5554acab0a25e28edd3202b3634 171135 zabbix_1.8.2-1.debian.tar.gz
 d28170b43823b7db91b809936fcc0c50f6a533ae 253930 zabbix-agent_1.8.2-1_amd64.deb
 53cd0b86651b926b0e1a7ff7d1626e9c3d6e9a15 618444 
zabbix-server-mysql_1.8.2-1_amd64.deb
 be732d15fa15f21aa29d47e41409019ed0789346 628202 
zabbix-server-pgsql_1.8.2-1_amd64.deb
 91dec5d88e4980360d01bf2ad29de62db0246b36 558834 
zabbix-proxy-pgsql_1.8.2-1_amd64.deb
 57e17c54f47e2c8e8bdf87fadc9f859b90ae7658 549842 
zabbix-proxy-mysql_1.8.2-1_amd64.deb
 b32ab4701d57e06abdac07c42fef13e7586eb67d 1508132 
zabbix-frontend-php_1.8.2-1_all.deb
Checksums-Sha256: 
 7f6b6f068edaa097d50e117d12b1ebde1b2d837bee413b05e577b023f6c211be 1501 
zabbix_1.8.2-1.dsc
 ba1d00454551c1c6f0d270f76718b69ce9f54c427e22acb5a13ccbc9e621fd81 3706540 
zabbix_1.8.2.orig.tar.gz
 0195a7557059aed47cce60946be279e53a62be7c6584f20808b729db6cda2ebf 171135 
zabbix_1.8.2-1.debian.tar.gz
 fac6ecfedc3589cf6fb08feba52a4b02e62f826a7e41e2e6cd72b889fd3cb686 253930 
zabbix-agent_1.8.2-1_amd64.deb
 558b2505b94d285cfc23d0112f0cf7b0a7a2aec323adaaea416e7ccd17ea9a82 618444 
zabbix-server-mysql_1.8.2-1_amd64.deb
 b5eb5a9e1469ec90f25475ca5240eb62c962434cc1771771b15566b759045f8b 628202 
zabbix-server-pgsql_1.8.2-1_amd64.deb
 cd96494c3935952d483b4bf18f171baa7eefcb48c95ecba3ad963f040df49ef0 558834 
zabbix-proxy-pgsql_1.8.2-1_amd64.deb
 99ca955a664251b8a518996beb30c9b36079968295f82379b49c2742ee0c7088 549842 
zabbix-proxy-mysql_1.8.2-1_amd64.deb
 3fc790098cf20d7f586139856ac21f272ec88da5f14ef8b7be715eb6d3e91711 1508132 
zabbix-frontend-php_1.8.2-1_all.deb
Files: 
 86e6389fa23a97fa73513c48dc51bf8e 1501 net optional zabbix_1.8.2-1.dsc
 fa4be4fa7ac20a33cc0aa5c27b827746 3706540 net optional zabbix_1.8.2.orig.tar.gz
 dc69a128cbcde1c89642976d913e36eb 171135 net optional 
zabbix_1.8.2-1.debian.tar.gz
 21326fe5627ff6f81657efb5a2b9bb7c 253930 net optional 
zabbix-agent_1.8.2-1_amd64.deb
 5b11994801479a11f26570a24c267b66 618444 net optional 
zabbix-server-mysql_1.8.2-1_amd64.deb
 efd1e9617666d8e96adb7c670d18f89d 628202 net optional 
zabbix-server-pgsql_1.8.2-1_amd64.deb
 7b2480aa71981dafd870130cbc603410 558834 net optional 
zabbix-proxy-pgsql_1.8.2-1_amd64.deb
 0816228ff6c56635c255946a90259cd1 549842 net optional 
zabbix-proxy-mysql_1.8.2-1_amd64.deb
 e7192cf3bdfd967f90c27ff7e1283f36 1508132 net optional 
zabbix-frontend-php_1.8.2-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkvBpmcACgkQCV53xXnMZYZLFgCfVcCu+xkMj5mXmcHMuKbax6PH
sIUAoNQUFZhoiiNRjZfh/3VLAzYwlk14
=Jm3j
-----END PGP SIGNATURE-----

--- End Message ---