[Git][security-tracker-team/security-tracker][master] CVE-2023-32723/zabbix (bullseye, LTS not affected)

Tobias Frost (@tobi) tobi at debian.org
Sat Sep 14 15:46:14 BST 2024 


Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker


Commits:
638d355c by Tobias Frost at 2024-09-14T16:42:27+02:00
CVE-2023-32723/zabbix (bullseye, LTS not affected)

Analysis for bullseye (LTS):
This vulnerabilty was only in upstream version 5.0.0alpha3, which
was never uploaded to Debian.  The first fixed uploaded version with the
fix applied was 5.0.0.

The only versions affected by this vulnerbilty were from the 4.0.x
series, namely up to version 4.0.20rc1, but Debian only had 4.0.19 - so
1:5.0.0+dfsg-1 was the first fixed version for bullseye.

(I believe bookworm is not affected as well, the release is newer than the
vulnaribility, but I'll leave that release for now)

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -84762,9 +84762,14 @@ CVE-2023-32723 (Request to LDAP is sent before user permissions are checked.)
 	{DLA-3717-1}
 	- zabbix 1:6.0.23+dfsg-1 (bug #1053877)
 	[bookworm] - zabbix <no-dsa> (Minor issue)
-	[bullseye] - zabbix <no-dsa> (Minor issue)
+	[bullseye] - zabbix 1:5.0.0+dfsg-1
 	NOTE: https://support.zabbix.com/browse/ZBX-23230
-	NOTE: very likely commit https://github.com/zabbix/zabbix/commit/3576afe9b87d8ad1ba92a13c28ba904671087688 (for 4.0.x)
+	NOTE: fixed by https://github.com/zabbix/zabbix/commit/3576afe9b87d8ad1ba92a13c28ba904671087688 (for 4.0.x)
+	NOTE: fixed by https://github.com/zabbix/zabbix/commit/5f73a8536a9c639ef1b30f6cca1eef0f968328ce (5.0.0alpha4)
+	NOTE: affected version ranges:
+	NOTE: 4.0.0 - 4.0.19rc1; fixed in 4.0.20rc1
+	NOTE: 4.4.0 - 4.4.7rc1; fixed in 4.4.8rc1
+	NOTE: 5.0.0alpha3; fixed in 5.0.0alpha4
 CVE-2023-32722 (The zabbix/src/libs/zbxjson module is vulnerable to a buffer overflow  ...)
 	- zabbix 1:6.0.23+dfsg-1 (bug #1053877)
 	[bookworm] - zabbix <no-dsa> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/638d355cd70d6e2ad89817cabce10552cb379853

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/638d355cd70d6e2ad89817cabce10552cb379853
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240914/fb349eed/attachment.htm>

More information about the debian-security-tracker-commits mailing list