Bug#922724: Lots of security issues

[Moritz Muehlenhoff]

Source: zoneminder
Severity: grave
Tags: security

Please see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8429
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8428
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8427
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8426
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8425
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8424
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8423
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7352
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7351
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7350
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7349
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7348
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7347
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7346
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7345
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7344
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7343
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7342
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7341
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7340
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7339
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7338
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7337
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7336
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7335
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7334
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7333
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7332
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7331
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7330
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7329
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7328
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7327
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7326
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7325

We should generally restrict the level of security support to something
sensible. A video surveillance systems is obviously something
that only should be exposed to trusted parties anyway, so I'd suggest
we treat zoneminder similar to e.g. ganglia (#702775), i.e.
- add a note to debian-security-support so that it flags the status
  of it
- Add a short README.Debian.security (or similar to document it also
  within the package)

Cheers,
        Moritz