[Git][security-tracker-team/security-tracker][master] Review recent zabbix updates
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Tue Oct 21 18:03:34 BST 2025
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
d7c5b0fb by Salvatore Bonaccorso at 2025-10-21T19:02:30+02:00
Review recent zabbix updates
While at it adjust two upstream tags and reference correct id for
CVE-2025-27240 commit.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -5797,9 +5797,9 @@ CVE-2025-49641 (A regular Zabbix user with no permission to the Monitoring -> Pr
- zabbix <unfixed> (bug #1117448)
NOTE: https://support.zabbix.com/browse/ZBX-27063
NOTE: Internal ID DEV-4393
- NOTE: Fixed by merge commit https://github.com/zabbix/zabbix/commit/bc22c5969061c44f5fd390f7dc6c7ce8a45fae5a (6.0.41rc1)
- NOTE: Fixed by merge commit https://github.com/zabbix/zabbix/commit/968955a38dcf5e6d545710147c88927b4d910124 (7.0.18rc2)
- NOTE: Fixed by merge commit https://github.com/zabbix/zabbix/commit/4b26cec0e051335b028b8fa53698a9d425cfac90 (7.4.2rc1)
+ NOTE: Fixed by: https://github.com/zabbix/zabbix/commit/bc22c5969061c44f5fd390f7dc6c7ce8a45fae5a (6.0.41rc1)
+ NOTE: Fixed by: https://github.com/zabbix/zabbix/commit/968955a38dcf5e6d545710147c88927b4d910124 (7.0.18rc1)
+ NOTE: Fixed by: https://github.com/zabbix/zabbix/commit/4b26cec0e051335b028b8fa53698a9d425cfac90 (7.4.2rc1)
NOTE: Fixed in: 6.0.41, 7.0.18, 7.2.12, 7.4.2
CVE-2025-48730 (A use of externally-controlled format string vulnerability has been re ...)
NOT-FOR-US: QNAP
@@ -5882,10 +5882,10 @@ CVE-2025-27236 (A regular Zabbix user can search other users in their user group
- zabbix <unfixed> (bug #1117448)
NOTE: https://support.zabbix.com/browse/ZBX-27060
NOTE: Internal issue DEV-4295
- NOTE: Fixed by merge commit https://github.com/zabbix/zabbix/commit/d9404e01005c83e91216caeebcfdbbdcbb64b4d9 (6.0.40rc1)
- NOTE: Fixed by merge commit https://github.com/zabbix/zabbix/commit/15d30787f648e27a7bbc305a465952c279e971a0 (7.0.17rc1)
- NOTE: Fixed by merge commit https://github.com/zabbix/zabbix/commit/7f63f05b187b87cf06694de817d93a954de05398 (7.2.11rc1)
- NOTE: Fixed by merge commit https://github.com/zabbix/zabbix/commit/bdfa09b08bb4a5434e40e54776f3be6e615a83b3 (7.4.1rc1)
+ NOTE: Fixed by: https://github.com/zabbix/zabbix/commit/d9404e01005c83e91216caeebcfdbbdcbb64b4d9 (6.0.41rc1)
+ NOTE: Fixed by: https://github.com/zabbix/zabbix/commit/15d30787f648e27a7bbc305a465952c279e971a0 (7.0.17rc1)
+ NOTE: Fixed by: https://github.com/zabbix/zabbix/commit/7f63f05b187b87cf06694de817d93a954de05398 (7.2.11rc1)
+ NOTE: Fixed by: https://github.com/zabbix/zabbix/commit/bdfa09b08bb4a5434e40e54776f3be6e615a83b3 (7.4.1rc1)
NOTE: Fixed in: 6.0.41, 7.0.17, 7.2.11, 7.4.1
CVE-2025-27231 (The LDAP 'Bind password' value cannot be read after saving, but a Supe ...)
- zabbix <unfixed> (bug #1117448)
@@ -14757,15 +14757,15 @@ CVE-2025-27240 (A Zabbix adminitrator can inject arbitrary SQL during the autore
- zabbix 1:7.0.5+dfsg-1
NOTE: https://support.zabbix.com/browse/ZBX-26986
NOTE: Internal issue DEV-3902
- NOTE: Fixed by merge commit https://github.com/zabbix/zabbix/commit/f092a5067ad3555bb5aa908952f034b64b1f0718 (6.0.34rc1)
- NOTE: Fixed by commit https://github.com/zabbix/zabbix/commit/f092a5067ad3555bb5aa908952f034b64b1f071853562f832665e15033062fb489cdaf18356d9eb1 (7.0.4rc1)
+ NOTE: Fixed by: https://github.com/zabbix/zabbix/commit/f092a5067ad3555bb5aa908952f034b64b1f0718 (6.0.34rc1)
+ NOTE: Fixed by: https://github.com/zabbix/zabbix/commit/53562f832665e15033062fb489cdaf18356d9eb1 (7.0.4rc1)
NOTE: Fixed in 6.0.34, 6.4.19, 7.0.4
CVE-2025-27238 (Due to a bug in Zabbix API, the hostprototype.get method lists all hos ...)
- zabbix <unfixed> (bug #1117448)
NOTE: https://support.zabbix.com/browse/ZBX-26988
NOTE: Internal issue DEV-4292
- NOTE: Fixed by merge commit https://github.com/zabbix/zabbix/commit/2d607ccd0d099757e48bbb9d3abb7571268ed87e (7.0.14rc1)
- NOTE: Fixed by merge commit https://github.com/zabbix/zabbix/commit/de83eeea59ca18e5a435a517570f8e6925f124ec (7.2.8rc1)
+ NOTE: Fixed by: https://github.com/zabbix/zabbix/commit/2d607ccd0d099757e48bbb9d3abb7571268ed87e (7.0.14rc1)
+ NOTE: Fixed by: https://github.com/zabbix/zabbix/commit/de83eeea59ca18e5a435a517570f8e6925f124ec (7.2.8rc1)
NOTE: Fixed in 7.0.14, 7.2.8
CVE-2025-27234 (Zabbix Agent 2 smartctl plugin does not properly sanitize smart.disk.g ...)
- zabbix 1:6.0.7+dfsg-2
@@ -14773,23 +14773,23 @@ CVE-2025-27234 (Zabbix Agent 2 smartctl plugin does not properly sanitize smart.
NOTE: 5.0.0-5.0.46 specific issue, thus mark the first version in unstable from the
NOTE: 6.0.0 series onwards as the fixed version as workaround.
NOTE: Fixed in 5.0.47
- NOTE: Internal issue DEV-4211 (same than CVE-2025-27233)
- NOTE: Fixed by commit [1/8] https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/04f541edac542f12a903f9fb82046c45edf8c357 (5.0.47rc1)
- NOTE: Fixed by commit [2/8] https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/b37ba84a92756f3b77dec1f181f8d6ba1e206f57 (5.0.47rc1)
- NOTE: Fixed by commit [3/8] https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/752b763bea758c11693b0fd034265729d1867240 (5.0.47rc1)
- NOTE: Fixed by commit [4/8] https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/05e0fa369c6ef4ddbddc54c530249b6d67634198 (5.0.47rc1)
- NOTE: Fixed by commit [5/8] https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/188490c97e3f72e9fd3836654f0dee5922159929 (5.0.47rc1)
- NOTE: Fixed by commit [6/8] https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/a4b2d7f2bc7c32d6753f5cadca9eebacbf0d1b04 (5.0.47rc1)
- NOTE: Fixed by commit [7/8] https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/3d471b650f133c43935f7db38cf277122d253a3a (5.0.47rc1)
- NOTE: Fixed by commit [8/8] https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/d18935be5fadca6c85ce0a715ce85e757d1dc80b (5.0.47rc1)
+ NOTE: Internal issue DEV-4211 (Related to CVE-2025-27233)
+ NOTE: Fixed by [1/8]: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/04f541edac542f12a903f9fb82046c45edf8c357 (5.0.47rc1)
+ NOTE: Fixed by [2/8]: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/b37ba84a92756f3b77dec1f181f8d6ba1e206f57 (5.0.47rc1)
+ NOTE: Fixed by [3/8]: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/752b763bea758c11693b0fd034265729d1867240 (5.0.47rc1)
+ NOTE: Fixed by [4/8]: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/05e0fa369c6ef4ddbddc54c530249b6d67634198 (5.0.47rc1)
+ NOTE: Fixed by [5/8]: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/188490c97e3f72e9fd3836654f0dee5922159929 (5.0.47rc1)
+ NOTE: Fixed by [6/8]: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/a4b2d7f2bc7c32d6753f5cadca9eebacbf0d1b04 (5.0.47rc1)
+ NOTE: Fixed by [7/8]: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/3d471b650f133c43935f7db38cf277122d253a3a (5.0.47rc1)
+ NOTE: Fixed by [8/8]: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/d18935be5fadca6c85ce0a715ce85e757d1dc80b (5.0.47rc1)
CVE-2025-27233 (Zabbix Agent 2 smartctl plugin does not properly sanitize smart.disk.g ...)
- zabbix <unfixed> (bug #1117448)
- [bullseye] - zabbix <not-affected> (assigned CVE-2025-27234 instead)
+ [bullseye] - zabbix <not-affected> (Vulnerable code not present, CVE-2025-27234 specific for the 5.0.x codebase)
NOTE: https://support.zabbix.com/browse/ZBX-26987
- NOTE: Internal issue DEV-4211 (same than CVE-2025-27234)
- NOTE: Fixed by merge commit https://github.com/zabbix/zabbix/commit/6abcdb5010d19cc6fb3e73f1cc3f127afb5d151f (6.0.40rc1)
- NOTE: Fixed by merge commit https://github.com/zabbix/zabbix/commit/f0625dd11ed5e043d330f8f22ac8eecb63272106 (7.0.11rc2)
- NOTE: Fixed by merge commit https://github.com/zabbix/zabbix/commit/70b7a00e94db1c0dd16384d81cc40659de57fb04 (7.2.5rc2)
+ NOTE: Internal issue DEV-4211 (relates to CVE-2025-27234 for 5.0.x codebase)
+ NOTE: Fixed by: https://github.com/zabbix/zabbix/commit/6abcdb5010d19cc6fb3e73f1cc3f127afb5d151f (6.0.40rc1)
+ NOTE: Fixed by: https://github.com/zabbix/zabbix/commit/f0625dd11ed5e043d330f8f22ac8eecb63272106 (7.0.11rc2)
+ NOTE: Fixed by: https://github.com/zabbix/zabbix/commit/70b7a00e94db1c0dd16384d81cc40659de57fb04 (7.2.5rc2)
NOTE: Fixed upstream in 6.0.40, 7.0.11, 7.2.5
CVE-2025-10365 (The Evertz SDVN 3080ipx-10G is a High Bandwidth Ethernet Switching Fab ...)
NOT-FOR-US: Evertz SDVN 3080ipx-10G
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7c5b0fb30a4344dec0923a430f2445d005b03b9
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7c5b0fb30a4344dec0923a430f2445d005b03b9
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251021/f62d4b2b/attachment.htm>
More information about the debian-security-tracker-commits
mailing list