[Git][security-tracker-team/security-tracker][master] CVE-2024-36466/zabbix not affecting bullseye
Tobias Frost (@tobi)
tobi at debian.org
Sat Dec 7 07:49:51 GMT 2024
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker
Commits:
b274c509 by Tobias Frost at 2024-12-07T08:48:05+01:00
CVE-2024-36466/zabbix not affecting bullseye
With
https://github.com/zabbix/zabbix/commit/24e7ca3c792fe3581fdb39c3f7c914c6a4c92500
upstream introduced storing sessions in cookies, which is the vulnerable
feature. This commit is first seen in 6.0.0alpha1.
Accordingly, Bookworm is vulnerable
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1895,9 +1895,11 @@ CVE-2024-38309 (There are multiple stack-based buffer overflow vulnerabilities i
NOT-FOR-US: Fuji
CVE-2024-36466 (A bug in the code allows an attacker to sign a forged zbx_session cook ...)
- zabbix 1:7.0.1+dfsg-1
+ [bullseye] - zabbix <not-affected> (Vulnerable code introduced later)
NOTE: https://support.zabbix.com/browse/ZBX-25635
NOTE: Fixed by: https://github.com/zabbix/zabbix/commit/6e39148b7361312f730d87e4438f692a2c39d07e (7.0.1rc1)
NOTE: Fixed by: https://github.com/zabbix/zabbix/commit/48e7615d1e1e3a5f543505cc6cb0a5564a655b58 (6.0.32rc1)
+ NOTE: Vulnerable feature introduced with https://github.com/zabbix/zabbix/commit/24e7ca3c792fe3581fdb39c3f7c914c6a4c92500 (6.0.0alpha1)
CVE-2024-11933 (Fuji Electric Monitouch V-SFT X1 File Parsing Heap-based Buffer Overfl ...)
NOT-FOR-US: Fuji
CVE-2024-11925 (The JobSearch WP Job Board plugin for WordPress is vulnerable to privi ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b274c509cc78d72eb2540ae2256c7cbcad68093e
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b274c509cc78d72eb2540ae2256c7cbcad68093e
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241207/d7ec8a87/attachment.htm>
More information about the debian-security-tracker-commits
mailing list