Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1370
zabbix security update
22 April 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: zabbix
Publisher: Debian
Operating System: Debian GNU/Linux
Impact/Access: Cross-site Scripting -- Remote with User Interaction
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-15803 CVE-2019-15132
Reference: ESB-2020.2828
ESB-2020.2658
Original Bulletin:
http://www.debian.org/lts/security/2021/dla-2631
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
From: Sylvain Beucler <beuc@beuc.net>
To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2631-1] zabbix security update
- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2631-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/
April 21, 2021 https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------
Package : zabbix
Version : 1:3.0.32+dfsg-0+deb9u1
CVE ID : CVE-2019-15132 CVE-2020-15803
Debian Bug : 935027 966146
Multiple vulnerabilities were discovered in Zabbix, a network
monitoring solution. An attacker may enumerate valid users and
redirect to external links through the zabbix web frontend.
CVE-2019-15132
Zabbix allows User Enumeration. With login requests, it is
possible to enumerate application usernames based on the
variability of server responses (e.g., the "Login name or password
is incorrect" and "No permissions for system access" messages, or
just blocking for a number of seconds). This affects both
api_jsonrpc.php and index.php.
CVE-2020-15803
Zabbix allows stored XSS in the URL Widget. This fix was
mistakenly dropped in previous upload 1:3.0.31+dfsg-0+deb9u1.
This update also includes several other bug fixes and
improvements. For more information please refer to the upstream
changelog file.
For Debian 9 stretch, these problems have been fixed in version
1:3.0.32+dfsg-0+deb9u1.
We recommend that you upgrade your zabbix packages.
For the detailed security status of zabbix please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/zabbix
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmCAOTwACgkQDTl9HeUl
XjBBmRAAoeaXBWcAby5VexUL5aDbq7tF0yKtyxkT0GX0xLhSvsv3BY0RNGeifMML
eRanx9I4t4kz1M+lQWwQObXLtMcptKx2O0AkEG+7JnyaEvKG/qZD9cfwdDtKrj0b
SQMDfeM49LJzkmE2rRUO+AbYoCewNo37ydgUGE06UE+2kXGHfirrospTW2I/i3yS
in7lUNCd4GcX6GZEMKSTSGfTxpq5szoIIU61jOZtGm1NSalBiA7SGIxQ0zGESJ0H
/3avQqaqIr0DZ6LfUCBICEBq5SF/YzI7tsvfKrk/sSwbU3rJL1hOA8MHb5iRcPft
HnIwIU1gTyZCxupGEGBJJ7FrJUlUw0p9FEaxLxwryqdUsCUa5fzYngw7EnW8kij6
UiZedOTMwx6LAUUVLr75y1mhyD4eIWdlIuB3WsiOaiC4ZyvOTEJ+cGpfmw6e8Pwx
Mn01u8cRg3d5wlBAlUK35XT3uplijY2tg3/JEPWPz5QKuapG14N4WEzOopG2LAg6
WdiT4rV9B9rJfX9dOKyv1BJbO+K9nEQYBDQTe4u3tMPpn+uMHsXhdl6m8dQfXjOg
Emv3DPx8zyhwpvbtPmtCFaM7dIKpOVipnJ4+hHecK1FZKYAxaMJwFkfkIXtmjWks
yvF8xFvcWdc+xdtZZIoFY8ofkq9OM/B5n1Qf68ShnJXrdegdIjk=
=X+nD
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYICx3uNLKJtyKPYoAQhtww/+JGN+q7gYUOE3HvM6AQ0uYvT92XRaEdCq
QZ5SJ096Oi298HHJ6jLsCxaduPfANqyK63RPuthN2FFVPbjt3DcJX9obBLDeCySl
ilsa9lGz7u4XdoX+VWl2sPlAF3cQh6t2yLkkdc50iRzimutbu6uf1PPpN63h3L2S
QXbl7iV4hCNkkyz36hL4mMY2nZwQ7ACMxaiiyny5+bdfAWzY10GK+LOBoMQ+q1NF
0595NAe+gfeIS+GRrG9MkIVlGcxJ7CiQP9qB3UYYyuEJ3FH3xxL+BYHY9PDKD027
QWLf1p8te66nlBFMUGuguDjxbwiQ1AfnYz7Tc5CygDeWHdXCqZIlJH4kPSEfTL+W
58bmxmbTzNhmBedI41QhBwMulpNlofFswQJnL35/yzlfzzxmvUf3C7nEHPzYQYLq
W1CrWgbxkHvy4AlJaxBmCYsmjClv8+o8yakIem7pvKtZ/7fhLI+ym1lMN2h1eTJR
xqhVywRZ0A5HNHMS5Q0AHbol8QEWaKDTRPTBhLp3M6C91EkiODlKU3xVlMgoqWBE
wzIpUHDZ+w4P4+T3HLH3EQshe1PK1+0v7VXIXYljz6VpASy0TtQF72qlcUFLwzQ1
1iiJ4TXyBXixxp1w++WKNmVOVtlWom95alszRe8v9LHUDw4UxYQWdVFKWqNVp0ly
enZ80vgWD+4=
=+27G
-----END PGP SIGNATURE-----