Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.4138 zabbix security update 23 November 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: zabbix Publisher: Debian Operating System: Debian GNU/Linux Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-11800 CVE-2016-10742 Reference: ESB-2020.1790 ESB-2019.0764 Original Bulletin: https://lists.debian.org/debian-lts-announce/2020/11/msg00039.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2461-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ November 21, 2020 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : zabbix Version : 1:3.0.31+dfsg-0+deb9u1 CVE ID : CVE-2016-10742 CVE-2020-11800 Multiple vulnerabilities were discovered in Zabbix, a network monitoring solution. An attacker may remotely execute code on the zabbix server, and redirect to external links through the zabbix web frontend. CVE-2016-10742 Zabbix allows open redirect via the request parameter. CVE-2020-11800 Zabbix allows remote attackers to execute arbitrary code. This update also includes several other bug fixes and improvements. For more information please refer to the upstream changelog file. For Debian 9 stretch, these problems have been fixed in version 1:3.0.31+dfsg-0+deb9u1. We recommend that you upgrade your zabbix packages. For the detailed security status of zabbix please refer to its security tracker page at: https://security-tracker.debian.org/tracker/zabbix Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAl+5SS0ACgkQj/HLbo2J BZ9PBQf/ctqiB2HWKYGt29I7pSwWp8YPQWRWNUIl+UYwbJAqT7C+gNUjLVTlZ8pV WlrWLO5DABAYYM5E/N8lBu3wbDGfyVTQn48zS9KNwMpeBfdGGdnXhEP++0Ew6Tu0 zuJ6kxxD28W27de4E6you8CegubHsGEHoP0OusuK1HK+memaOqtu+vsIuB6Ff8jG 2YKACTVq/Rt9LzRYPCCaZBmTRQPjccC/dWlpyFkXpNgebxlFCGOY+5hSkwajtObJ VFiTrrpkYFTYaNCvkBHRKLi8An4eny3W7s62LCMZ59xw5CaONeBefiNI3e3GpSFG /QrJlb+Xl4UKniP9cGaHcM0jJq38Dg== =dQYS - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX7sKEuNLKJtyKPYoAQi5JhAArXXBWOn6/w4dXEIRkuyex+lkpMo4RnYK FWrxP6v3nzdOL2ft4Xsf2vl9+zVpmZm9NuJcXrLLYNip1kLZSReKKQzjB5EM6mTC cmOjss6eRWCq+WvMXCocJHxbxNir7WmdPkYQhaYcSeqZYKP6ydqCsXViF7yHCQj5 uBJ8y4TeNE0bJOTYfHF5kNLEs/B74P+RKE0tQVuq0SDmFDL1I/Dyibz6fR6zqsQj vZ0jZ3QQUx7rKCFGE/OeSh2Oa/lbHtvcyp3S5eABL/jyjC4bVGX40Tq1ZArA/RLX acouneZ8MblTX500Ait5k1rVozDbiiwxp1eZ8Je8Xp2D2wvlth2JojnbyVmo5ehW k3kAs+5V91cJuZulaQmBCsuravzw3TA01fvapILqJTZysellv6e9lLXlMc6/rgzq AtYNFiGc25kfdu/3cfNF823idamru36mzagLLYFESxiUqZLTI9//iEdqqEv4LTBI YdT+EEN6H30STx4CJpcGf1JaL1T///jiTRTX2vHrXir9pKSR7jDfEsFqYu+ZsG1o qi7V/yTM58LqKpkL6hdTpmvY83RnXZh6B/BZWdqj24GERTDKDNriKsnEKeOsj6b0 eXR+UeEudcqPeWhZjF/OhP4OC83HeA6/1FMRNQENH6UDkCtDaL2IhdMdqwJMl10e Sm5u+Lqjb5E= =cWya -----END PGP SIGNATURE-----