Bug#737818: marked as done (zabbix: CVE-2014-1682: API issue allows users to impersonate other users)

[Debian Bug Tracking System]

Your message dated Fri, 14 Feb 2014 09:21:40 +0000
with message-id <e1weexo-0007mq...@franck.debian.org>
and subject line Bug#737818: fixed in zabbix 1:2.2.2+dfsg-1
has caused the Debian Bug report #737818,
regarding zabbix: CVE-2014-1682: API issue allows users to impersonate other 
users
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
737818: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737818
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: zabbix
Severity: grave
Tags: security upstream

Hi,

the following vulnerability was published for zabbix.

CVE-2014-1682[0]:
API issue allows users to impersonate other users

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1682
    http://security-tracker.debian.org/tracker/CVE-2014-1682
[1] https://support.zabbix.com/browse/ZBX-7703

Could you check if Debian is affected and adjust the affected
versions?

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: zabbix
Source-Version: 1:2.2.2+dfsg-1

We believe that the bug you reported is fixed in the latest version of
zabbix, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 737...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dmitry Smirnov <only...@debian.org> (supplier of updated zabbix package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 13 Feb 2014 21:57:26 +1100
Source: zabbix
Binary: zabbix-agent zabbix-frontend-php zabbix-java-gateway zabbix-proxy-mysql 
zabbix-proxy-pgsql zabbix-proxy-sqlite3 zabbix-server-mysql zabbix-server-pgsql
Architecture: source amd64 all
Version: 1:2.2.2+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Christoph Haas <h...@debian.org>
Changed-By: Dmitry Smirnov <only...@debian.org>
Description: 
 zabbix-agent - network monitoring solution - agent
 zabbix-frontend-php - network monitoring solution - PHP front-end
 zabbix-java-gateway - network monitoring solution - Java gateway
 zabbix-proxy-mysql - network monitoring solution - proxy (using MySQL)
 zabbix-proxy-pgsql - network monitoring solution - proxy (using PostgreSQL)
 zabbix-proxy-sqlite3 - network monitoring solution - proxy (using SQLite3)
 zabbix-server-mysql - network monitoring solution - server (using MySQL)
 zabbix-server-pgsql - network monitoring solution - server (using PostgreSQL)
Closes: 737818
Changes: 
 zabbix (1:2.2.2+dfsg-1) unstable; urgency=high
 .
   * New upstream release [February 2014].
     + CVE-2014-1682 (ZBX-7703) fixed vulnerability allowing to impersonate
       other users without proper credentials when using HTTP authentication
       (Closes: #737818).
     + CVE-2013-5572 (ZBX-6721) fixed LDAP authentication.
     + CVE-2014-1685 (ZBX-7693) restrict admin's ability to update media
       for other users.
   * Dropped "build_modernise-automake.patch" (applied-upstream).
Checksums-Sha1: 
 a0d418d63a3f791e09248dfa840825964427de7c 2651 zabbix_2.2.2+dfsg-1.dsc
 bbbf83c47aac59c209d85c9ebe6640bbcedfbd80 5814720 zabbix_2.2.2+dfsg.orig.tar.xz
 12cf75f0d6d4b14df4576f6353144ee107425c41 35976 
zabbix_2.2.2+dfsg-1.debian.tar.xz
 7409f171087b320a2c77e297d7f00a709851985c 303580 
zabbix-agent_2.2.2+dfsg-1_amd64.deb
 149f0d8f80c6bcaff013042d34ca183c265c88fb 2751922 
zabbix-frontend-php_2.2.2+dfsg-1_all.deb
 38e10df25778ef173f328bb4b0c92f9c7f901120 175780 
zabbix-java-gateway_2.2.2+dfsg-1_all.deb
 00e8f20bcbb43d703c20f27a219021c6ccad67a5 534642 
zabbix-proxy-mysql_2.2.2+dfsg-1_amd64.deb
 7662bbd67d6bab0d4bdf63e8c60d5cb2e2f95f2d 537102 
zabbix-proxy-pgsql_2.2.2+dfsg-1_amd64.deb
 047fe89b2d4eb6474fa94bb1a5e55b56500baa31 521964 
zabbix-proxy-sqlite3_2.2.2+dfsg-1_amd64.deb
 f56cc192e0b906ed2f19a1e02b692deb3f5c53df 1711508 
zabbix-server-mysql_2.2.2+dfsg-1_amd64.deb
 d36d27b57fd3fb0370504f4b53a04667bcf03629 1713362 
zabbix-server-pgsql_2.2.2+dfsg-1_amd64.deb
Checksums-Sha256: 
 7674a406a6324c028cbcefe316ebaf1447c8b1fda0336adbc2afe69cc382c1e4 2651 
zabbix_2.2.2+dfsg-1.dsc
 3e2d21d020b0659d2ac529c0d38b9942f55ef7ab64a49f21c1e1ada03b2592a0 5814720 
zabbix_2.2.2+dfsg.orig.tar.xz
 d9b9ad39b68f77335b786124d5b05eb4714349b8d36e9607614f6bf17c06d9b7 35976 
zabbix_2.2.2+dfsg-1.debian.tar.xz
 f5a916ca19e45f14c3cdee46c3b5e9e6d2a35652dfc49d87e89bf403cca92d48 303580 
zabbix-agent_2.2.2+dfsg-1_amd64.deb
 6d15dc2e351176f81e5a25ad0905120a6a0d0bac1efd8f7c7dbc8194de7182ea 2751922 
zabbix-frontend-php_2.2.2+dfsg-1_all.deb
 6bfeb3b8d39af77f825ac71268813d06044ccf9e5b02876dc9bcbc9146597d4c 175780 
zabbix-java-gateway_2.2.2+dfsg-1_all.deb
 3bedcfb9c6d65dcc08ce07470ce17bab3ffeae1314641d42039cd4a929a7ff11 534642 
zabbix-proxy-mysql_2.2.2+dfsg-1_amd64.deb
 3c014607fe6372975bc88ba6af472cae9ab829af56b7afb1deedb2abd66e9c45 537102 
zabbix-proxy-pgsql_2.2.2+dfsg-1_amd64.deb
 bb26022de5aa3782f8efe7f2e3db738cbd27bcfd1cd20e565c65b26656c52c5f 521964 
zabbix-proxy-sqlite3_2.2.2+dfsg-1_amd64.deb
 d1b47e18dc582d450307778b534ee93517a02e0660f79391531bbdee864c483d 1711508 
zabbix-server-mysql_2.2.2+dfsg-1_amd64.deb
 2e37325f8113c50ad40838d02cbb40a606fe67580be13bf1a2cde1c20e839dd8 1713362 
zabbix-server-pgsql_2.2.2+dfsg-1_amd64.deb
Files: 
 5726df472b0e3d73c3e4311c79de6739 2651 net optional zabbix_2.2.2+dfsg-1.dsc
 be970c6bfb9e4c916428df8ee152098d 5814720 net optional 
zabbix_2.2.2+dfsg.orig.tar.xz
 c2cadd77c6d7137ea5abb530e744b72d 35976 net optional 
zabbix_2.2.2+dfsg-1.debian.tar.xz
 43b5c24663ffcaea0148f2febfd47def 303580 net optional 
zabbix-agent_2.2.2+dfsg-1_amd64.deb
 f91f0fe8cf223dc038ebc49767e4f858 2751922 net optional 
zabbix-frontend-php_2.2.2+dfsg-1_all.deb
 3d0fcb86042a1cf1cb966507e071a05c 175780 net optional 
zabbix-java-gateway_2.2.2+dfsg-1_all.deb
 5ad388daebe7280184675ad530f20309 534642 net optional 
zabbix-proxy-mysql_2.2.2+dfsg-1_amd64.deb
 5056dcab58728e7fc4fb225284b19946 537102 net optional 
zabbix-proxy-pgsql_2.2.2+dfsg-1_amd64.deb
 36b6b77ce8f3eea71aa5a7f8012fcf43 521964 net optional 
zabbix-proxy-sqlite3_2.2.2+dfsg-1_amd64.deb
 2354036c36bd90361ad2e7ff261ceb3f 1711508 net optional 
zabbix-server-mysql_2.2.2+dfsg-1_amd64.deb
 f21daf172e21e56b65f8f256bc66bd40 1713362 net optional 
zabbix-server-pgsql_2.2.2+dfsg-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJS/KdcAAoJEFK2u9lTlo0b8CAP/RoOm4phjhtCJlHkjYqZk5IY
MYeuI5DxCK52r6dTHkBTvIpXU+dOx6R+yBRxBu1yHYb9ujgjahj8wg37tKZdTzlO
QIEugB8aHZKVPpaI10USq+tDi4QkpF+iLWqH25hIZswxzbKd7snxkVmOKieefl+9
/9xCDvwvys5VUwf5O0YfpRchSkglnKTO/T61tt7yImMkePTnx8mm0iVnTzTI8Dbo
u3cmmgExdmBDhr956D/fdUzTCUvagcI7VgnR6KxfngO/vqEgpGI5im2VkyUFSWj0
NqABpSFkCykEzG6dQl2c2cRvdu2Up57fUDE/NYmW77XPE3K5XhPLivayQq/AyO66
qAHCRC//+M91U5tgZp+kkQTRfWPZPMucVlt83YWzm8/VV9zkv0gvB7N52SYQ1D36
Q+sxKYgkj5JcoZhS7wVxx3fbw6EmlY9l4PxESt9QT2XRPhDej5bThysmi0wSeStz
IT45JSL36iGZLINJLrk6sadFIWwjXxLvlMJ8F8sWdz4YeouNiNEA5j62WQtdUNzc
KIsMK9N3AzbtyypeaWDnrfm121tG7TFXcQfZ9CwsLaBcIScsOe1u9SSHXtLv87lw
PIv+spcxfTWsch0n5UqT8yQ7kJq86LU8DsvTmu4mL3SnJF2pCLWIZ0itv5UzKftb
aCxm7kPt4/lDK+8U8eTe
=oNrl
-----END PGP SIGNATURE-----

--- End Message ---