[Git][security-tracker-team/security-tracker][master] 2 commits: zabbix: precise triage

Sylvain Beucler beuc at debian.org
Thu Nov 12 17:26:18 GMT 2020 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
4d5d6c31 by Sylvain Beucler at 2020-11-12T18:15:12+01:00
zabbix: precise triage
CVE-2019-17382: stretch ignored
CVE-2019-15132: reference patch
CVE-2016-10742: reference patch

- - - - -
2276adb1 by Sylvain Beucler at 2020-11-12T18:21:36+01:00
CVE-2017-2826/zabbix not fixed in DLA-1708-1
which upgraded to LTS 2.2.23 but doesn't include a fix,
probably confusion with https://support.zabbix.com/browse/ZBX-12076
which references this issue but fixes another

Reverts 783fa4a6ad56c09e47f1d36ba34fe438a6728fb9
Updates a38fdca6e6b6b4d6c31c5a70e37e999d3bdef951

- - - - -


2 changed files:

- data/CVE/list
- data/DLA/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -76260,7 +76260,7 @@ CVE-2019-17383 (The netaddr gem before 2.0.4 for Ruby has misconfigured file per
 CVE-2019-17382 (An issue was discovered in zabbix.php?action=dashboard.view&dashbo ...)
 	- zabbix <unfixed>
 	[buster] - zabbix <no-dsa> (Minor issue)
-	[stretch] - zabbix <no-dsa> (Minor issue)
+	[stretch] - zabbix <ignored> (Minor issue, no patch, guest accounts can be disabled)
 	[jessie] - zabbix <no-dsa> (Minor issue, guest accounts can be disabled)
 	NOTE: https://support.zabbix.com/browse/ZBX-16789
 	NOTE: Disputed by upstream, closed as not a security bug.
@@ -82796,6 +82796,8 @@ CVE-2019-15132 (Zabbix through 4.4.0alpha1 allows User Enumeration. With login r
 	[stretch] - zabbix <no-dsa> (Minor issue)
 	[jessie] - zabbix <postponed> (Minor issue)
 	NOTE: https://support.zabbix.com/browse/ZBX-16532
+	NOTE: https://support.zabbix.com/browse/ZBX-5842
+	NOTE: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/b5a110e4d1c21d865cd03e3ef8dbc6f37221b60f (4.0.27rc1)
 CVE-2019-15131 (In Code42 Enterprise 6.7.5 and earlier, 6.8.4 through 6.8.8, and 7.0.0 ...)
 	NOT-FOR-US: Code42
 CVE-2019-15130 (The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681  ...)
@@ -104801,6 +104803,7 @@ CVE-2016-10742 (Zabbix before 2.2.21rc1, 3.x before 3.0.13rc1, 3.1.x and 3.2.x b
 	[stretch] - zabbix <no-dsa> (Minor issue)
 	NOTE: https://support.zabbix.com/browse/ZBX-10272
 	NOTE: https://support.zabbix.com/browse/ZBX-13133
+	NOTE: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/2b340b8128af6c00469ef4066de16d4b1e81c841 (3.0.13rc1)
 CVE-2019-8401
 	REJECTED
 CVE-2019-8400 (ORY Hydra before v1.0.0-rc.3+oryOS.9 has Reflected XSS via the oauth2/ ...)
@@ -226481,15 +226484,15 @@ CVE-2017-2828 (An exploitable command injection vulnerability exists in the web
 CVE-2017-2827 (An exploitable command injection vulnerability exists in the web manag ...)
 	NOT-FOR-US: Foscam C1 Indoor HD Camera
 CVE-2017-2826 (An information disclosure vulnerability exists in the iConfig proxy re ...)
-	{DLA-1708-1}
 	- zabbix <unfixed> (low)
 	[buster] - zabbix <ignored> (Minor issue, workaround exists)
 	[stretch] - zabbix <ignored> (Minor issue, workaround exists)
+	[jessie] - zabbix <ignored> (Minor issue, workaround exists)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2017-0327
 	NOTE: Relates to the information disclosure as mentioned in (but is not the same issue)
 	NOTE: https://support.zabbix.com/browse/ZBX-12076
 	NOTE: Workaround for Zabbix 3.0 exists: https://www.zabbix.com/documentation/3.0/manual/distributed_monitoring/proxies#configuration
-	NOTE: using encyrpted connections with the proxy.
+	NOTE: using encrypted connections with the proxy.
 CVE-2017-2825 (In the trapper functionality of Zabbix Server 2.4.x, specifically craf ...)
 	{DSA-3937-1}
 	- zabbix 1:3.0.7+dfsg-3 (bug #863584)


=====================================
data/DLA/list
=====================================
@@ -2292,7 +2292,7 @@
 	{CVE-2019-0804}
 	[jessie] - waagent 2.2.18-3~deb8u2
 [11 Mar 2019] DLA-1708-1 zabbix - security update
-	{CVE-2016-10742 CVE-2017-2826}
+	{CVE-2016-10742}
 	[jessie] - zabbix 1:2.2.23+dfsg-0+deb8u1
 [09 Mar 2019] DLA-1707-1 symfony - security update
 	{CVE-2017-16652 CVE-2017-16654 CVE-2018-11385 CVE-2018-11408 CVE-2018-14773 CVE-2018-19789 CVE-2018-19790}



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7f7beb6659cc42c39dff233915adf33f05cbd5a0...2276adb133a2f78ba286202fabf0787cdfcccd24

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7f7beb6659cc42c39dff233915adf33f05cbd5a0...2276adb133a2f78ba286202fabf0787cdfcccd24
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201112/91cbad5b/attachment.html>

More information about the debian-security-tracker-commits mailing list