<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en" style='--code-editor-font: var(--default-mono-font, "GitLab Mono"), JetBrains Mono, Menlo, DejaVu Sans Mono, Liberation Mono, Consolas, Ubuntu Mono, Courier New, andale mono, lucida console, monospace;'>
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>
<style data-premailer="ignore" type="text/css">
a { color: #1068bf; }
</style>
<style>img {
max-width: 100%; height: auto;
}
body {
font-size: .875rem;
}
body {
-webkit-text-shadow: rgba(255,255,255,.01) 0 0 1px;
}
body {
font-family: "GitLab Sans",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji"; font-size: inherit;
}
</style>
</head>
<body style='font-size: inherit; -webkit-text-shadow: rgba(255,255,255,.01) 0 0 1px; font-family: "GitLab Sans",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";'>
<div class="content">
<h3 style="margin-top: 20px; margin-bottom: 10px;">
Tobias Frost pushed to branch master at <a href="https://salsa.debian.org/security-tracker-team/security-tracker">Debian Security Tracker / security-tracker</a>
</h3>
<h4 style="margin-top: 10px; margin-bottom: 10px;">
Commits:
</h4>
<ul>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/640cf95c02dc6525dfb27118109529ab7bccce39">640cf95c</a></strong>
<div>
<span> by Tobias Frost </span> <i> at 2024-12-07T13:31:11+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>CVE-2024-36464/zabbix not fixed upstream in 6.0.30c1
(see
https://support.zabbix.com/browse/ZBX-25630?focusedCommentId=1026630&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-1026630
upstream report)
Quote:
I've just installed 6.0.34 from your Debian repository, and I'm probably holding it wrong, but I *think* I still can reproduce this on 6.0.36
root@isildor2:/etc# dpkg -l 'zabbix*' | grep ^ii
ii zabbix-agent 1:6.0.36-1+debian12 amd64 Zabbix network monitoring solution - agent
ii zabbix-apache-conf 1:6.0.36-1+debian12 all Zabbix network monitoring solution - apache configuration for front-end
ii zabbix-frontend-php 1:6.0.36-1+debian12 all Zabbix network monitoring solution - PHP front-end
ii zabbix-release 1:6.0-5+debian12 all Zabbix official repository configuration
ii zabbix-server-mysql 1:6.0.36-1+debian12 amd64 Zabbix network monitoring solution - server (MySQL)
ii zabbix-sql-scripts 1:6.0.36-1+debian12 all Zabbix network monitoring solution - sql-scripts
Reproducer:
Login as Admin
Create a Media Type
Type "Email"
Set Authentication to "Username and Password"
Enter Username (I've used "test-user")
Enter Password (I've used "test-password")
Save
Select created entry
Export it
Yields to:
zabbix_export:
version: '6.0'
date: '2024-12-07T12:21:30Z'
media_types:
- name: test-with-password
type: EMAIL
smtp_server: mail.example.com
smtp_helo: example.com
smtp_email: zabbix@example.com
smtp_authentication: PASSWORD
username: test-user
password: test-password
status: DISABLED
</pre>
</li>
</ul>
<h4 style="margin-top: 10px; margin-bottom: 10px;">
1 changed file:
</h4>
<ul>
<li class="file-stats">
<a href="#4716ef5aa8f2742228ba3b3633215c8b808565e3">
data/CVE/list
</a>
</li>
</ul>
<h4 style="margin-top: 10px; margin-bottom: 10px;">
Changes:
</h4>
<li id="4716ef5aa8f2742228ba3b3633215c8b808565e3">
<a href="https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/640cf95c02dc6525dfb27118109529ab7bccce39#4716ef5aa8f2742228ba3b3633215c8b808565e3"><strong style="font-weight: 600;">data/CVE/list</strong></a>
<hr style="overflow: hidden; border: 1px solid #e1e1e1;">
No preview for this file type
<br>
</li>
</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #737278;">
—
<br>
<a href="https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/640cf95c02dc6525dfb27118109529ab7bccce39">View it on GitLab</a>.
<br>
You're receiving this email because of your account on <a target="_blank" rel="noopener noreferrer" href="https://salsa.debian.org">salsa.debian.org</a>. <a href="https://salsa.debian.org/-/profile/notifications" target="_blank" rel="noopener noreferrer" class="mng-notif-link">Manage all notifications</a> · <a href="https://salsa.debian.org/help" target="_blank" rel="noopener noreferrer" class="help-link">Help</a>
<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Commit","url":"https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/640cf95c02dc6525dfb27118109529ab7bccce39"}}</script>
</p>
</div>
</body>
</html>