Your message dated Sat, 25 Nov 2023 09:50:20 +0000 with message-id <e1r6piq-00gg6h...@fasolo.debian.org> and subject line Bug#1055175: fixed in zabbix 1:6.0.23+dfsg-1 has caused the Debian Bug report #1055175, regarding zabbix: CVE-2023-29449 CVE-2023-29450 CVE-2023-29451 CVE-2023-29452 CVE-2023-29453 CVE-2023-29454 CVE-2023-29455 CVE-2023-29456 CVE-2023-29457 CVE-2023-29458 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1055175: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055175 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: zabbix X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for zabbix. CVE-2023-29449[0]: | JavaScript preprocessing, webhooks and global scripts can cause | uncontrolled CPU, memory, and disk I/O utilization. | Preprocessing/webhook/global script configuration and testing are | only available to Administrative roles (Admin and Superadmin). | Administrative privileges should be typically granted to users who | need to perform tasks that require more control over the system. The | security risk is limited because not all users have this level of | access. https://support.zabbix.com/browse/ZBX-22589 Upstream patch for 5.0.32: https://github.com/zabbix/zabbix/commit/e90b8a3c62 applied in upstream release/5.0 branch: https://github.com/zabbix/zabbix/commit/c21cf2fa656b75733e3abc09d8f20690735b3f22 vulnerable module introduced in https://github.com/zabbix/zabbix/commit/18d2abfc40 (5.0.0alpha1) CVE-2023-29450[1]: | JavaScript pre-processing can be used by the attacker to gain access | to the file system (read-only access on behalf of user "zabbix") on | the Zabbix Server or Zabbix Proxy, potentially leading to | unauthorized access to sensitive data. https://support.zabbix.com/browse/ZBX-22588 Patch for 5.0.32rc1: https://github.com/zabbix/zabbix/commit/c3f1543e4 Patch for 6.0.14rc2: https://github.com/zabbix/zabbix/commit/76f6a80cb CVE-2023-29451[2]: | Specially crafted string can cause a buffer overrun in the JSON | parser library leading to a crash of the Zabbix Server or a Zabbix | Proxy. https://support.zabbix.com/browse/ZBX-22587 CVE-2023-29452[3]: | Currently, geomap configuration (Administration -> General -> | Geographical maps) allows using HTML in the field “Attribution text” | when selected “Other” Tile provider. https://support.zabbix.com/browse/ZBX-22981 Patches links: https://support.zabbix.com/browse/ZBX-22720 vulnerable geopmap widget introduced in version with https://github.com/zabbix/zabbix/commit/7e6a91149533b17b12c0317968b485e0c98d4ac2 (6.0.0alpha6) CVE-2023-29453[4]: | Templates do not properly consider backticks (`) as Javascript | string delimiters, and do not escape them as expected. Backticks are | used, since ES6, for JS template literals. If a template contains a | Go template action within a Javascript template literal, the | contents of the action can be used to terminate the literal, | injecting arbitrary Javascript code into the Go template. As ES6 | template literals are rather complex, and themselves can do string | interpolation, the decision was made to simply disallow Go template | actions from being used inside of them (e.g., "var a = {{.}}"), | since there is no obviously safe way to allow this behavior. This | takes the same approach as github.com/google/safehtml. With fix, | Template. Parse returns an Error when it encounters templates like | this, with an ErrorCode of value 12. This ErrorCode is currently | unexported but will be exported in the release of Go 1.21. Users who | rely on the previous behavior can re-enable it using the GODEBUG | flag jstmpllitinterp=1, with the caveat that backticks will now be | escaped. This should be used with caution. https://support.zabbix.com/browse/ZBX-23388 CVE-2023-29454[5]: | Stored or persistent cross-site scripting (XSS) is a type of XSS | where the attacker first sends the payload to the web application, | then the application saves the payload (e.g., in a database or | server-side text files), and finally, the application | unintentionally executes the payload for every victim visiting its | web pages. https://support.zabbix.com/browse/ZBX-22985 CVE-2023-29455[6]: | Reflected XSS attacks, also known as non-persistent attacks, occur | when a malicious script is reflected off a web application to the | victim's browser. The script is activated through a link, which | sends a request to a website with a vulnerability that enables | execution of malicious scripts. https://support.zabbix.com/browse/ZBX-22986 CVE-2023-29456[7]: | URL validation scheme receives input from a user and then parses it | to identify its various components. The validation scheme can ensure | that all URL components comply with internet standards. https://support.zabbix.com/browse/ZBX-22987 CVE-2023-29457[8]: | Reflected XSS attacks, occur when a malicious script is reflected | off a web application to the victim's browser. The script can be | activated through Action form fields, which can be sent as request | to a website with a vulnerability that enables execution of | malicious scripts. https://support.zabbix.com/browse/ZBX-22988 CVE-2023-29458[9]: | Duktape is an 3rd-party embeddable JavaScript engine, with a focus | on portability and compact footprint. When adding too many values in | valstack JavaScript will crash. This issue occurs due to bug in | Duktape 2.6 which is an 3rd-party solution that we use. This appears to be bug in Zabbix's use of duktape, not an issue in src:duktape per se https://support.zabbix.com/browse/ZBX-22989 duktape library introduced with https://github.com/zabbix/zabbix/commit/d43b04665c1ade5b4a9f49db750b8ca6c82e9de2 (5.0.0alpha1) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-29449 https://www.cve.org/CVERecord?id=CVE-2023-29449 [1] https://security-tracker.debian.org/tracker/CVE-2023-29450 https://www.cve.org/CVERecord?id=CVE-2023-29450 [2] https://security-tracker.debian.org/tracker/CVE-2023-29451 https://www.cve.org/CVERecord?id=CVE-2023-29451 [3] https://security-tracker.debian.org/tracker/CVE-2023-29452 https://www.cve.org/CVERecord?id=CVE-2023-29452 [4] https://security-tracker.debian.org/tracker/CVE-2023-29453 https://www.cve.org/CVERecord?id=CVE-2023-29453 [5] https://security-tracker.debian.org/tracker/CVE-2023-29454 https://www.cve.org/CVERecord?id=CVE-2023-29454 [6] https://security-tracker.debian.org/tracker/CVE-2023-29455 https://www.cve.org/CVERecord?id=CVE-2023-29455 [7] https://security-tracker.debian.org/tracker/CVE-2023-29456 https://www.cve.org/CVERecord?id=CVE-2023-29456 [8] https://security-tracker.debian.org/tracker/CVE-2023-29457 https://www.cve.org/CVERecord?id=CVE-2023-29457 [9] https://security-tracker.debian.org/tracker/CVE-2023-29458 https://www.cve.org/CVERecord?id=CVE-2023-29458 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: zabbix Source-Version: 1:6.0.23+dfsg-1 Done: Dmitry Smirnov <only...@debian.org> We believe that the bug you reported is fixed in the latest version of zabbix, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1055...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Dmitry Smirnov <only...@debian.org> (supplier of updated zabbix package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 25 Nov 2023 20:21:41 +1100 Source: zabbix Architecture: source Version: 1:6.0.23+dfsg-1 Distribution: unstable Urgency: medium Maintainer: Dmitry Smirnov <only...@debian.org> Changed-By: Dmitry Smirnov <only...@debian.org> Closes: 1043400 1050671 1052897 1053877 1055175 Changes: zabbix (1:6.0.23+dfsg-1) unstable; urgency=medium . * New upstream release. + fixed the following vulnerabilities (Closes: #1055175): * CVE-2023-29449 * CVE-2023-29450 * CVE-2023-29451 * CVE-2023-29452 * CVE-2023-29453 * CVE-2023-29454 * CVE-2023-29455 * CVE-2023-29456 * CVE-2023-29457 * CVE-2023-29458 + fixed the following vulnerabilities (Closes: #1053877): * CVE-2023-32721 * CVE-2023-32722 * CVE-2023-32723 * CVE-2023-32724 * Ignore errors in "go list" (dh_golang) until that is fixed in Golang (Closes: #1050671, #1052897). * Agent/service: start after "network-online.target" (Closes: #1043400). * Control/Depends: lsb-base --> sysvinit-utils (>= 3.05-4~). Checksums-Sha1: 7c55f83e7f81b54245f0975924073a281341fad7 4030 zabbix_6.0.23+dfsg-1.dsc ad8621946bbe6493350ea3cc30e995dc102354fa 13674588 zabbix_6.0.23+dfsg.orig-templates.tar.xz eb426b154794df0bb862d186450dc9d0a25b0c66 688944 zabbix_6.0.23+dfsg.orig-vendor.tar.xz 0a75dac8bb033a420f6c48e9af3217140dcac0cb 22564824 zabbix_6.0.23+dfsg.orig.tar.xz 8adfbd35ca9e8d14188282b666c75b54a94bd4c3 229768 zabbix_6.0.23+dfsg-1.debian.tar.xz be556fd7f6b3746a19cdbdfe9e84f10f53470872 20475 zabbix_6.0.23+dfsg-1_amd64.buildinfo Checksums-Sha256: a2aaf1219a593c35654123c41a6ca5788963485f1d8da629cb2c04c8c0d515bf 4030 zabbix_6.0.23+dfsg-1.dsc 7fe2988b7255e9962b2b1794ff452bdd2879fd586265d3af770c11ae92544646 13674588 zabbix_6.0.23+dfsg.orig-templates.tar.xz 643b67c269c97c9412e27a03dec57c58b787b4568e731084b7790733048f4867 688944 zabbix_6.0.23+dfsg.orig-vendor.tar.xz 56ca8a8be9481d3d64f87b5f8b733d80da46e0b56f3b34ad5a22fa1427920104 22564824 zabbix_6.0.23+dfsg.orig.tar.xz 94459e678a468e19305db607cb3507112cd3634d2c0c3fba37c2f33d05fa920b 229768 zabbix_6.0.23+dfsg-1.debian.tar.xz 54e30577678b43114472f0114aed6faed0f19861b019288a454c70d8ad811dd3 20475 zabbix_6.0.23+dfsg-1_amd64.buildinfo Files: 691182e3fddb9b61b870cfaa7ec6b109 4030 net optional zabbix_6.0.23+dfsg-1.dsc b63a4055d1cea6cea169b82afa6e29e2 13674588 net optional zabbix_6.0.23+dfsg.orig-templates.tar.xz cefafa18860dc4dd61dc7cee1109f47f 688944 net optional zabbix_6.0.23+dfsg.orig-vendor.tar.xz 3ce3f93fda68760cf5cec10ed645b10e 22564824 net optional zabbix_6.0.23+dfsg.orig.tar.xz b216fca19392e5f5114230ce7e3d516b 229768 net optional zabbix_6.0.23+dfsg-1.debian.tar.xz a784001c56fe7508f83c503dd08f44ed 20475 net optional zabbix_6.0.23+dfsg-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEULx8+TnSDCcqawZWUra72VOWjRsFAmVhvqoACgkQUra72VOW jRt3NA//cuxJSDMkuBhJrXGvkND9PTjIjLQHvd1YdbDuI/FcCHx9ifY3ifVuaPch EO8AD0XThKBQYIKbkuS78iypptwFcs/gjMLzUZOCkjD+mDUQh6jnJRm05OWsgdhq PilVGOGP3aAUHl7QT7NLdhLyMC0eXv4rOB6pJTjTE5s1isVCc3rCHx3GScK/IdFy sR17+ueakT/S7m4TYw6eWdfe7a2gs1sYqaWrsgv6tmrI6fIdbh0dathYGLtvCstM NU4F/U+u82IDoGul64TT7cxCxtspahGVQ3VTPLQPN8AGM9pH4MDxXsJSLkvviESw ug2Ar8CGgxiyEmGm0phQ+kg1tfkkBn+zcoPIGLUtJHxsSdeHGN1+fvQKVUVwB3R6 HLYm0gQ5VrkQVN58jnRX1Lj9iPkul1Dxu/GafU9b5eb2K0C/LBiu/ziTIb6Y6G8z hWf/acB9nPQMP76IEpbrraBwPxfcKWnaVc6fWiBVr6bBZi51ZtJsvKBRvkIQpH4A Jyzzo741L6U01bnUnjtNeCMUlZeggKQIyz5msiRGcFKFINuxm9OEfduuTQP4lCba PnklND9wMUK91MV3gb4svAQO1/NdKN0aZ/VcxboT9mYyf72kwGZTd7YTNjvgUB9C eAejxS7wf8vuftHny01Ttz2GWdH1OCn0ba5U3ESY0Zp4kp804ZA= =LbaA -----END PGP SIGNATURE-----
--- End Message ---
