Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.1370 zabbix security update 22 April 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: zabbix Publisher: Debian Operating System: Debian GNU/Linux Impact/Access: Cross-site Scripting -- Remote with User Interaction Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-15803 CVE-2019-15132 Reference: ESB-2020.2828 ESB-2020.2658 Original Bulletin: http://www.debian.org/lts/security/2021/dla-2631 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 From: Sylvain Beucler <beuc@beuc.net> To: debian-lts-announce@lists.debian.org Subject: [SECURITY] [DLA 2631-1] zabbix security update - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2631-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ April 21, 2021 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : zabbix Version : 1:3.0.32+dfsg-0+deb9u1 CVE ID : CVE-2019-15132 CVE-2020-15803 Debian Bug : 935027 966146 Multiple vulnerabilities were discovered in Zabbix, a network monitoring solution. An attacker may enumerate valid users and redirect to external links through the zabbix web frontend. CVE-2019-15132 Zabbix allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php. CVE-2020-15803 Zabbix allows stored XSS in the URL Widget. This fix was mistakenly dropped in previous upload 1:3.0.31+dfsg-0+deb9u1. This update also includes several other bug fixes and improvements. For more information please refer to the upstream changelog file. For Debian 9 stretch, these problems have been fixed in version 1:3.0.32+dfsg-0+deb9u1. We recommend that you upgrade your zabbix packages. For the detailed security status of zabbix please refer to its security tracker page at: https://security-tracker.debian.org/tracker/zabbix Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmCAOTwACgkQDTl9HeUl XjBBmRAAoeaXBWcAby5VexUL5aDbq7tF0yKtyxkT0GX0xLhSvsv3BY0RNGeifMML eRanx9I4t4kz1M+lQWwQObXLtMcptKx2O0AkEG+7JnyaEvKG/qZD9cfwdDtKrj0b SQMDfeM49LJzkmE2rRUO+AbYoCewNo37ydgUGE06UE+2kXGHfirrospTW2I/i3yS in7lUNCd4GcX6GZEMKSTSGfTxpq5szoIIU61jOZtGm1NSalBiA7SGIxQ0zGESJ0H /3avQqaqIr0DZ6LfUCBICEBq5SF/YzI7tsvfKrk/sSwbU3rJL1hOA8MHb5iRcPft HnIwIU1gTyZCxupGEGBJJ7FrJUlUw0p9FEaxLxwryqdUsCUa5fzYngw7EnW8kij6 UiZedOTMwx6LAUUVLr75y1mhyD4eIWdlIuB3WsiOaiC4ZyvOTEJ+cGpfmw6e8Pwx Mn01u8cRg3d5wlBAlUK35XT3uplijY2tg3/JEPWPz5QKuapG14N4WEzOopG2LAg6 WdiT4rV9B9rJfX9dOKyv1BJbO+K9nEQYBDQTe4u3tMPpn+uMHsXhdl6m8dQfXjOg Emv3DPx8zyhwpvbtPmtCFaM7dIKpOVipnJ4+hHecK1FZKYAxaMJwFkfkIXtmjWks yvF8xFvcWdc+xdtZZIoFY8ofkq9OM/B5n1Qf68ShnJXrdegdIjk= =X+nD - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYICx3uNLKJtyKPYoAQhtww/+JGN+q7gYUOE3HvM6AQ0uYvT92XRaEdCq QZ5SJ096Oi298HHJ6jLsCxaduPfANqyK63RPuthN2FFVPbjt3DcJX9obBLDeCySl ilsa9lGz7u4XdoX+VWl2sPlAF3cQh6t2yLkkdc50iRzimutbu6uf1PPpN63h3L2S QXbl7iV4hCNkkyz36hL4mMY2nZwQ7ACMxaiiyny5+bdfAWzY10GK+LOBoMQ+q1NF 0595NAe+gfeIS+GRrG9MkIVlGcxJ7CiQP9qB3UYYyuEJ3FH3xxL+BYHY9PDKD027 QWLf1p8te66nlBFMUGuguDjxbwiQ1AfnYz7Tc5CygDeWHdXCqZIlJH4kPSEfTL+W 58bmxmbTzNhmBedI41QhBwMulpNlofFswQJnL35/yzlfzzxmvUf3C7nEHPzYQYLq W1CrWgbxkHvy4AlJaxBmCYsmjClv8+o8yakIem7pvKtZ/7fhLI+ym1lMN2h1eTJR xqhVywRZ0A5HNHMS5Q0AHbol8QEWaKDTRPTBhLp3M6C91EkiODlKU3xVlMgoqWBE wzIpUHDZ+w4P4+T3HLH3EQshe1PK1+0v7VXIXYljz6VpASy0TtQF72qlcUFLwzQ1 1iiJ4TXyBXixxp1w++WKNmVOVtlWom95alszRe8v9LHUDw4UxYQWdVFKWqNVp0ly enZ80vgWD+4= =+27G -----END PGP SIGNATURE-----