Date: 06 December 2007
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2007.0980 -- [UNIX/Linux][Debian]
New zabbix packages fix privilege escalation
6 December 2007
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: zabbix
Publisher: Debian
Operating System: Debian GNU/Linux 4.0
UNIX variants (UNIX, Linux, OSX)
Impact: Root Compromise
Access: Remote/Unauthenticated
CVE Names: CVE-2007-6210
Original Bulletin: http://www.debian.org/security/2007/dsa-1420
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running zabbix check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1420-1 security@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
December 05, 2007 http://www.debian.org/security/faq
- - ------------------------------------------------------------------------
Package : zabbix
Vulnerability : programming error
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2007-6210
Debian Bug : 452682
Bas van Schaik discovered that the agentd process of Zabbix, a network
monitor system, may run user-supplied commands as group id root, not
zabbix, which may lead to a privilege escalation.
For the stable distribution (etch), this problem has been fixed in version
1:1.1.4-10etch1
zabbix is not included in the oldstable distribution (sarge).
We recommend that you upgrade your zabbix packages.
Upgrade instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- - -------------------------------
Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/z/zabbix/zabbix_1.1.4-10etch1.dsc
Size/MD5 checksum: 850 4b021367fae2f83903168622449ac3d5
http://security.debian.org/pool/updates/main/z/zabbix/zabbix_1.1.4-10etch1.diff.gz
Size/MD5 checksum: 19016 853af44b6fa0f9519710af72d728283b
http://security.debian.org/pool/updates/main/z/zabbix/zabbix_1.1.4.orig.tar.gz
Size/MD5 checksum: 1511210 8e733e41506dd34759daba01deeeefd9
Architecture independent packages:
http://security.debian.org/pool/updates/main/z/zabbix/zabbix-frontend-php_1.1.4-10etch1_all.deb
Size/MD5 checksum: 337552 2094fd712f01e85f293ffba7628271a3
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/z/zabbix/zabbix-server-mysql_1.1.4-10etch1_alpha.deb
Size/MD5 checksum: 199540 d3c60f5e84c4c24622a93b7b88fcf21b
http://security.debian.org/pool/updates/main/z/zabbix/zabbix-agent_1.1.4-10etch1_alpha.deb
Size/MD5 checksum: 134628 a1bc2d6920993443affd3a8751b9ca17
http://security.debian.org/pool/updates/main/z/zabbix/zabbix-server-pgsql_1.1.4-10etch1_alpha.deb
Size/MD5 checksum: 208906 3c13b8046ff57e0fa8aea50f2be9ab55
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/z/zabbix/zabbix-agent_1.1.4-10etch1_amd64.deb
Size/MD5 checksum: 121058 88afd49700d9c27830b144c976d01bbc
http://security.debian.org/pool/updates/main/z/zabbix/zabbix-server-mysql_1.1.4-10etch1_amd64.deb
Size/MD5 checksum: 187334 84ff800dfeeaaa15b5bc54da2c60d541
http://security.debian.org/pool/updates/main/z/zabbix/zabbix-server-pgsql_1.1.4-10etch1_amd64.deb
Size/MD5 checksum: 197896 f287da9192ed398e4a91eeb466f5d0f2
arm architecture (ARM)
http://security.debian.org/pool/updates/main/z/zabbix/zabbix-agent_1.1.4-10etch1_arm.deb
Size/MD5 checksum: 114812 54d95bd62d7fc9c4f7f489b3a6aa61b1
http://security.debian.org/pool/updates/main/z/zabbix/zabbix-server-mysql_1.1.4-10etch1_arm.deb
Size/MD5 checksum: 184154 a86d542d9e915e3218857f627987b4da
http://security.debian.org/pool/updates/main/z/zabbix/zabbix-server-pgsql_1.1.4-10etch1_arm.deb
Size/MD5 checksum: 195136 69e6a2e140d706ea2e2345af3e4c7079
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/z/zabbix/zabbix-agent_1.1.4-10etch1_hppa.deb
Size/MD5 checksum: 129776 94cf53bf377404b7e735e03958c06b45
http://security.debian.org/pool/updates/main/z/zabbix/zabbix-server-mysql_1.1.4-10etch1_hppa.deb
Size/MD5 checksum: 198254 61e71f3347893b5db188f84639aa5408
http://security.debian.org/pool/updates/main/z/zabbix/zabbix-server-pgsql_1.1.4-10etch1_hppa.deb
Size/MD5 checksum: 207124 ba7edc382a338dd1c199f5195c70600c
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/z/zabbix/zabbix-server-mysql_1.1.4-10etch1_mips.deb
Size/MD5 checksum: 191732 2bf4f31683e0cbc336761bb289637935
http://security.debian.org/pool/updates/main/z/zabbix/zabbix-server-pgsql_1.1.4-10etch1_mips.deb
Size/MD5 checksum: 202436 895df858131cb2a7cdaf08872990a5ad
http://security.debian.org/pool/updates/main/z/zabbix/zabbix-agent_1.1.4-10etch1_mips.deb
Size/MD5 checksum: 127066 92ffdb635471d03e6557feb09c964b14
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/z/zabbix/zabbix-agent_1.1.4-10etch1_mipsel.deb
Size/MD5 checksum: 127084 1ec77d9776f50835b0de53280f6d1566
http://security.debian.org/pool/updates/main/z/zabbix/zabbix-server-pgsql_1.1.4-10etch1_mipsel.deb
Size/MD5 checksum: 202602 0e6f7eacb323cd92e794374b3ace26f5
http://security.debian.org/pool/updates/main/z/zabbix/zabbix-server-mysql_1.1.4-10etch1_mipsel.deb
Size/MD5 checksum: 191870 37f5495aa653af479e47fbd7eaa9d881
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/z/zabbix/zabbix-server-pgsql_1.1.4-10etch1_powerpc.deb
Size/MD5 checksum: 200586 d6f8539a23ef645e1acd89053d0ee9b4
http://security.debian.org/pool/updates/main/z/zabbix/zabbix-server-mysql_1.1.4-10etch1_powerpc.deb
Size/MD5 checksum: 190128 f15156135f21e6038ea6ecbba9fd39b1
http://security.debian.org/pool/updates/main/z/zabbix/zabbix-agent_1.1.4-10etch1_powerpc.deb
Size/MD5 checksum: 124226 db888cf3cc5d4052f5df1faca2e2b959
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/z/zabbix/zabbix-server-mysql_1.1.4-10etch1_s390.deb
Size/MD5 checksum: 186494 31fe6349c1df9707e07dcc7f3188f4fa
http://security.debian.org/pool/updates/main/z/zabbix/zabbix-agent_1.1.4-10etch1_s390.deb
Size/MD5 checksum: 120012 57d1846b5821c0160ec04fc896f035cb
http://security.debian.org/pool/updates/main/z/zabbix/zabbix-server-pgsql_1.1.4-10etch1_s390.deb
Size/MD5 checksum: 197310 73739f20a98209392de313cb1f43add7
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/z/zabbix/zabbix-server-pgsql_1.1.4-10etch1_sparc.deb
Size/MD5 checksum: 190724 2139419b2569163970b964008989ceef
http://security.debian.org/pool/updates/main/z/zabbix/zabbix-agent_1.1.4-10etch1_sparc.deb
Size/MD5 checksum: 113630 2845f0b14a5a8d57b20cb4646af97f2a
http://security.debian.org/pool/updates/main/z/zabbix/zabbix-server-mysql_1.1.4-10etch1_sparc.deb
Size/MD5 checksum: 181714 275fe787f58c0cec7dcbdfe05505778f
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHVvhfYrVLjBFATsMRAtztAJ4tPwqq/mnldOLs5uOV6q4fR8a0DwCeNjNu
mHiRd9dwvpiLl50n5eJi5Hk=
=QVTQ
- -----END PGP SIGNATURE-----
- --
To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBR1c8Lih9+71yA2DNAQK0lgQAhj8Oa8mTGlWnmm8I0ODsQbytq+2dOaQz
RqyAF80x0ivkIyfNaTsT8tMut00AvvLsTjDP8wqC6EgDwhL2mX7N+S6oDpRFcsIV
FSiVL94YqsrVR+FpmA1LspQh5w//WdwgrpHwIVlMOfbUEhix5iNd+LkhNZZk+kc1
9+cGW+S1Dgo=
=03e0
-----END PGP SIGNATURE-----
|