Your message dated Thu, 09 Mar 2017 23:20:57 +0000
with message-id <e1cm7mf-0008cr...@fasolo.debian.org>
and subject line Bug#850936: fixed in zabbix 1:2.2.7+dfsg-2+deb8u2
has caused the Debian Bug report #850936,
regarding zabbix: CVE-2016-10134: SQL injection vulnerabilities in Latest data
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
850936: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850936
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: zabbix-frontend-php
Version: 1:2.2.7+dfsg-2+deb8u1
Severity: grave
Tags: security
Justification: user security hole
Dear Maintainer,
Bug in zabbix (ZBX-11023 SQL injection vulnerabilities in "Latest data")
allow to execute code on remote system. It's not a duplicate of Debian
bug "#842702 zabbix: CVE-2016-9140: API JSON-RPC remote code execution"
ZBX-11023 allows to execute code even for guest user.
I had zabbix available from web with enabled guest user. During
investigation i found requests from sqlmap software in apache log, new
scripts was configured via zabbix web interface by Admin user (password
was untouched and hard to guess), many malicious scripts in /tmp and
few spam sending processes.
-- System Information:
Debian Release: 8.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/16 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages zabbix-frontend-php depends on:
ii apache2 [httpd] 2.4.10-10+deb8u7
ii php5 5.6.29+dfsg-0+deb8u1
ii php5-gd 5.6.29+dfsg-0+deb8u1
ii php5-mysql 5.6.29+dfsg-0+deb8u1
ii php5-pgsql 5.6.29+dfsg-0+deb8u1
ii ttf-dejavu-core 2.34-1
ii ucf 3.0030
Versions of packages zabbix-frontend-php recommends:
ii php5-ldap 5.6.29+dfsg-0+deb8u1
Versions of packages zabbix-frontend-php suggests:
ii libapache2-mod-php5 5.6.29+dfsg-0+deb8u1
-- no debconf information
-- debsums errors found:
debsums: changed file
/usr/share/doc/zabbix-frontend-php/examples/apache.conf (from
zabbix-frontend-php package)
--- End Message ---
--- Begin Message ---
Source: zabbix
Source-Version: 1:2.2.7+dfsg-2+deb8u2
We believe that the bug you reported is fixed in the latest version of
zabbix, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 850...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Mühlenhoff <j...@debian.org> (supplier of updated zabbix package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 03 Feb 2017 00:17:26 +0100
Source: zabbix
Binary: zabbix-agent zabbix-frontend-php zabbix-java-gateway zabbix-proxy-mysql
zabbix-proxy-pgsql zabbix-proxy-sqlite3 zabbix-server-mysql zabbix-server-pgsql
Architecture: source amd64 all
Version: 1:2.2.7+dfsg-2+deb8u2
Distribution: jessie-security
Urgency: medium
Maintainer: Christoph Haas <h...@debian.org>
Changed-By: Moritz Mühlenhoff <j...@debian.org>
Description:
zabbix-agent - network monitoring solution - agent
zabbix-frontend-php - network monitoring solution - PHP front-end
zabbix-java-gateway - network monitoring solution - Java gateway
zabbix-proxy-mysql - network monitoring solution - proxy (using MySQL)
zabbix-proxy-pgsql - network monitoring solution - proxy (using PostgreSQL)
zabbix-proxy-sqlite3 - network monitoring solution - proxy (using SQLite3)
zabbix-server-mysql - network monitoring solution - server (using MySQL)
zabbix-server-pgsql - network monitoring solution - server (using PostgreSQL)
Closes: 850936
Changes:
zabbix (1:2.2.7+dfsg-2+deb8u2) jessie-security; urgency=medium
.
* CVE-2016-10134 (Closes: #850936)
Checksums-Sha1:
a0c0f6c5cd8bc68d846bcbcb7db36331087312f6 2794 zabbix_2.2.7+dfsg-2+deb8u2.dsc
14426c8336d6461fa87cddb8bbf93fca5aa8bff9 5905712 zabbix_2.2.7+dfsg.orig.tar.xz
f128aa92ee405e4ce961173d1085caeba1d20155 190456
zabbix_2.2.7+dfsg-2+deb8u2.debian.tar.xz
9b02d56c663b481c4fdd57fb79adaa28a94b56c0 319130
zabbix-agent_2.2.7+dfsg-2+deb8u2_amd64.deb
9e8a4892f865ac44d7a9113d9ed775d9dc0dceb3 2921956
zabbix-frontend-php_2.2.7+dfsg-2+deb8u2_all.deb
1fd3020d244f584553de962f5c87708190aded93 188224
zabbix-java-gateway_2.2.7+dfsg-2+deb8u2_all.deb
332589c49f9f73db6e0d01472e4586f49eec7911 560736
zabbix-proxy-mysql_2.2.7+dfsg-2+deb8u2_amd64.deb
43ce56a83de7c6dc84d9fef84f1e5ff842ea83d9 563378
zabbix-proxy-pgsql_2.2.7+dfsg-2+deb8u2_amd64.deb
e3ebfb3c5e389e6483916b21c752b8c559ede52d 546370
zabbix-proxy-sqlite3_2.2.7+dfsg-2+deb8u2_amd64.deb
1cb42c8350bba023c87860c40251e16186b9c192 1737350
zabbix-server-mysql_2.2.7+dfsg-2+deb8u2_amd64.deb
b583e389395f7c1bf0ad8ded938efbfcb328c9d1 1739500
zabbix-server-pgsql_2.2.7+dfsg-2+deb8u2_amd64.deb
Checksums-Sha256:
23d885b3b2df783728c2ed789c82f6b8ec6ecb8603ea51683312d3d100ba4b8e 2794
zabbix_2.2.7+dfsg-2+deb8u2.dsc
922b2f12d3145ed4c0c0dc14cdce07a4cd959cb4d5801690f7017c116258ec7b 5905712
zabbix_2.2.7+dfsg.orig.tar.xz
ab10374d4c6a2fe217b0bf20d62b031c77f1193dd31d7755a6755eb7041b53ea 190456
zabbix_2.2.7+dfsg-2+deb8u2.debian.tar.xz
9eabea66d067dad9030538ce918e078bddfa815b6d2b75a79830ad14c6eb9f0c 319130
zabbix-agent_2.2.7+dfsg-2+deb8u2_amd64.deb
af6b4f676d79abefc23f3c86c222cdf16991042e800310886884397e56f72bcd 2921956
zabbix-frontend-php_2.2.7+dfsg-2+deb8u2_all.deb
5832cfadd87507b68001b0e988887a12ee1bf37701e1b15ddd2cceb4490ff8e3 188224
zabbix-java-gateway_2.2.7+dfsg-2+deb8u2_all.deb
5ec47187a1e682be7827b145a0d620a6f38ddae9c79160dc32e668c2339c82fd 560736
zabbix-proxy-mysql_2.2.7+dfsg-2+deb8u2_amd64.deb
e4ca76313fd2922806473ec324414021d38e4c6864cfc94cb991cd2d35d86866 563378
zabbix-proxy-pgsql_2.2.7+dfsg-2+deb8u2_amd64.deb
0a33e878fcbe8dcb7c06fe7316c5b2a6ad72f062646e4990e291e6036899228c 546370
zabbix-proxy-sqlite3_2.2.7+dfsg-2+deb8u2_amd64.deb
e7b50a3ab7a2c0e7f944248dd4675744cc4a05ff0eb30cd8f25c119bff483fee 1737350
zabbix-server-mysql_2.2.7+dfsg-2+deb8u2_amd64.deb
0e601656739833bdbfb5af91fb3bc3f18cfed8a0a7f6f203d75ff631d4488aca 1739500
zabbix-server-pgsql_2.2.7+dfsg-2+deb8u2_amd64.deb
Files:
fcfb8e956a9fa5075ee47f63e9fcb5f4 2794 net optional
zabbix_2.2.7+dfsg-2+deb8u2.dsc
53fcafa41d157467d8646525504722b2 5905712 net optional
zabbix_2.2.7+dfsg.orig.tar.xz
5af49593bbff493fa12836311e8b5ee6 190456 net optional
zabbix_2.2.7+dfsg-2+deb8u2.debian.tar.xz
84f79eba49f8fe40337c74a6d437c1e4 319130 net optional
zabbix-agent_2.2.7+dfsg-2+deb8u2_amd64.deb
60b3f5be1baeccaa89d9bd52ea83e0f6 2921956 net optional
zabbix-frontend-php_2.2.7+dfsg-2+deb8u2_all.deb
063c86b6c2841b7638181f234a942836 188224 net optional
zabbix-java-gateway_2.2.7+dfsg-2+deb8u2_all.deb
516a65e86b6552235b640542a10b76bd 560736 net optional
zabbix-proxy-mysql_2.2.7+dfsg-2+deb8u2_amd64.deb
b7b023f80fd0ccb7af294b7f276a99eb 563378 net optional
zabbix-proxy-pgsql_2.2.7+dfsg-2+deb8u2_amd64.deb
6673af071184a56753ff1e9ea66aeb7b 546370 net optional
zabbix-proxy-sqlite3_2.2.7+dfsg-2+deb8u2_amd64.deb
61959f68893d95b96f4e52e322ed2e51 1737350 net optional
zabbix-server-mysql_2.2.7+dfsg-2+deb8u2_amd64.deb
f22b7ee5edb4dea37ca330804ac9ca67 1739500 net optional
zabbix-server-pgsql_2.2.7+dfsg-2+deb8u2_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAliUr9oACgkQEMKTtsN8
TjZUGRAAhXstc8JU9noDteDYFbz9c6KjjGLQLyB5bs1cERbYeYXPImfTKy0saNjX
yigfgxGw6JU3gr7f43y1mvh1ENkqkmQRCM6TaGmrTKnEFXxZABsVBRzFpNPYl4pF
hf/fvJeLJ5kRu1G7+G4bayhTPbEfIDBQYijNcdT9iiKORJLB8+2taHEjPa9Wt1U0
6zJeeYtkPlR6wndz0ERBgFxP1+pu+3gYId59jbBxkGIJ0c66DEpFLdbSB5JVndnd
5gE1wC9uzhjD9WpLi8Y09HfrZ+VlNdQfl50ZGg9IvSYIBgVcStrKirMbZvPgOJB0
vdw5ZMhhPBg0iInDvaTlca2usd2exPqDiEUiEoUTd5e3pkzzfHmUJGV3cKeSH8rq
zkNt/+VZLJIB22xmVOP8QDfPBWYydumM83idSOBTcDzWJWTZQ5s4rz6L0+shjWBd
e9KUSD7qwP3QvKZPfZ0dS3etzaV+8bS4j+C+0V3se5+dTwyd4VOC6DBUkTfRl2gA
bd3NhVClnH9ABnh/mskKgXlfG2msp0cdO5nl6Zkm2JitLwfHMAF33P2ahDUHYF1P
n/gDSWEyQs9OwDJQIouNxl3TOWyGHLLJ+1y+W0yJVW5/LuZmhJjv02gzfk+80Bu4
2EeJ9dnu61OYBCAKn3PI1OrfF4hYfwLY3DzvyiCHbCdP+18r5C0=
=0/FV
-----END PGP SIGNATURE-----
--- End Message ---
