Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
5cdaf149 by Moritz Muehlenhoff at 2026-02-06T16:31:29+01:00
zabbix triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -147695,6 +147695,7 @@ CVE-2024-32965 (Lobe Chat is an open-source, AI chat
framework. Versions of lobe
CVE-2024-22117 (When a URL is added to the map element, it is recorded in the
database ...)
{DLA-3909-1}
- zabbix 1:7.0.5+dfsg-1
+ [bookworm] - zabbix <no-dsa> (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-25610
NOTE: Fixed by:
https://github.com/zabbix/zabbix/commit/bcf43da8eaaafc03e53845085f5b87d8c858ac81
(7.0.4rc1)
NOTE: Fixed by:
https://github.com/zabbix/zabbix/commit/73d694022cd8e3468d1fdb1dc672e8d0eb9a2fc3
(6.0.34rc1)
@@ -176997,12 +176998,14 @@ CVE-2024-36462 (Uncontrolled resource consumption
refers to a software vulnerabi
CVE-2024-36461 (Within Zabbix, users have the ability to directly modify
memory pointe ...)
{DLA-3909-1}
- zabbix 1:7.0.1+dfsg-1 (bug #1078553)
+ [bookworm] - zabbix <ignored> (The WEB UI is only supported for access
by trusted users, no security updates issued for it, #1124558)
NOTE: https://support.zabbix.com/browse/ZBX-25018
NOTE: fix:
https://github.com/zabbix/zabbix/commit/9aa4ab73c76a2395769ac1ec88a453a3066f0e79
(7.0.1rc1)
NOTE: fix:
https://github.com/zabbix/zabbix/commit/b370b845cc4683896e65a93fe81f1204ccf62ba5
(6.0.31rc1)
CVE-2024-36460 (The front-end audit log allows viewing of unprotected
plaintext passwo ...)
{DLA-3909-1}
- zabbix 1:7.0.1+dfsg-1 (bug #1078553)
+ [bookworm] - zabbix <ignored> (The WEB UI is only supported for access
by trusted users, no security updates issued for it, #1124558)
NOTE: https://support.zabbix.com/browse/ZBX-25017
NOTE:
https://github.com/zabbix/zabbix/commit/37028d9ca96ceb39a13ae32f76e6aaa662bc80ea
(7.0.1rc1)
NOTE:
https://github.com/zabbix/zabbix/commit/b5361b6481fb2d4dd1e8d87f214bf8ed07c1d247
(7.0.1rc1)
@@ -177014,6 +177017,7 @@ CVE-2024-32765 (A vulnerability has been reported to
affect Network & Virtual Sw
CVE-2024-22123 (Setting SMS media allows to set GSM modem file. Later this
file is use ...)
{DLA-3909-1}
- zabbix 1:7.0.0+dfsg-1 (bug #1078553)
+ [bookworm] - zabbix <no-dsa> (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-25013
NOTE:
https://github.com/zabbix/zabbix/commit/499ac935f60b38992488ff895c06da8bd80d95cc
(7.0.x)
NOTE:
https://github.com/zabbix/zabbix/commit/eb64b83355dae7286821c5237f7ab83038c22367
(6.0.x)
@@ -177021,6 +177025,7 @@ CVE-2024-22123 (Setting SMS media allows to set GSM
modem file. Later this file
CVE-2024-22122 (Zabbix allows to configure SMS notifications. AT command
injection occ ...)
{DLA-3909-1}
- zabbix 1:7.0.0+dfsg-1 (bug #1078553)
+ [bookworm] - zabbix <no-dsa> (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-25012
NOTE:
https://github.com/zabbix/zabbix/commit/9923c7dea89e19318621788df07dc7572a2528be
(7.0.0rc3)
NOTE:
https://github.com/zabbix/zabbix/commit/2cd64d3522fe974f21487ce1606d65e10eea7bae
(6.0.31rc1)
@@ -177031,6 +177036,7 @@ CVE-2024-22121 (A non-admin user can change or remove
important features within
CVE-2024-22116 (An administrator with restricted permissions can exploit the
script ex ...)
{DLA-3909-1}
- zabbix 1:7.0.0+dfsg-1 (bug #1078553)
+ [bookworm] - zabbix <ignored> (The WEB UI is only supported for access
by trusted users, no security updates issued for it, #1124558)
NOTE: https://support.zabbix.com/browse/ZBX-25016
NOTE:
https://github.com/zabbix/zabbix/commit/afb3ab931d59af61e4f974634b85bcbed5a042b2
(7.0.0rc3)
NOTE:
https://github.com/zabbix/zabbix/commit/679e18f172fc1f9a78b19789fbbc52246871ff19
(7.0.1rc1)
@@ -177040,6 +177046,7 @@ CVE-2024-22116 (An administrator with restricted
permissions can exploit the scr
CVE-2024-22114 (User with no permission to any of the Hosts can access and
view host c ...)
{DLA-3909-1}
- zabbix 1:7.0.0+dfsg-1 (bug #1078553)
+ [bookworm] - zabbix <ignored> (The WEB UI is only supported for access
by trusted users, no security updates issued for it, #1124558)
NOTE: https://support.zabbix.com/browse/ZBX-25015
NOTE:
https://github.com/zabbix/zabbix/commit/44687a7aa09787db0939cc8bc6ae3178638fc1cf
(7.0.0rc3)
NOTE:
https://github.com/zabbix/zabbix/commit/2c52375e51349a63af7d4620d83077f103dadf91
(6.0.31rc1)
@@ -201579,6 +201586,7 @@ CVE-2024-22139 (Authentication Bypass by Spoofing
vulnerability in Filipe Seabra
NOT-FOR-US: WordPress plugin
CVE-2024-22120 (Zabbix server can perform command execution for configured
scripts. Af ...)
- zabbix 1:6.0.29+dfsg-1 (bug #1072120)
+ [bookworm] - zabbix <ignored> (The WEB UI is only supported for access
by trusted users, no security updates issued for it, #1124558)
[bullseye] - zabbix <not-affected> (Vulnerable code introduced later)
[buster] - zabbix <not-affected> (Vulnerable code introduced later)
NOTE: https://support.zabbix.com/browse/ZBX-24505
@@ -232120,6 +232128,7 @@ CVE-2024-23319 (Mattermost Jira Plugin fails to
protect against logout CSRF allo
CVE-2024-22119 (The cause of vulnerability is improper validation of form
input field ...)
{DLA-3909-1 DLA-3798-1}
- zabbix 1:6.0.24+dfsg-1
+ [bookworm] - zabbix <ignored> (The WEB UI is only supported for access
by trusted users, no security updates issued for it, #1124558)
NOTE: https://support.zabbix.com/browse/ZBX-24070
NOTE: Introduced by:
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/d5b73ddafc2b91376c0d74027b5f727cea6f9c29
(4.0.0alpha1)
NOTE: Fixed by:
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/aec9ebf575e6c62b5397f267ae5353b121a91262
(6.0.24rc1)
@@ -242328,6 +242337,7 @@ CVE-2023-33214 (Cross-Site Request Forgery (CSRF)
vulnerability in Tagbox Tagbox
NOT-FOR-US: WordPress plugin
CVE-2023-32728 (The Zabbix Agent 2 item key smart.disk.get does not sanitize
its param ...)
- zabbix 1:6.0.24+dfsg-1
+ [bookworm] - zabbix <no-dsa> (Minor issue)
[bullseye] - zabbix <not-affected> (Vulnerable code introduced later)
[buster] - zabbix <not-affected> (Vulnerable code introduced later)
NOTE: https://support.zabbix.com/browse/ZBX-23858
@@ -242343,6 +242353,7 @@ CVE-2023-32728 (The Zabbix Agent 2 item key
smart.disk.get does not sanitize its
CVE-2023-32727 (An attacker who has the privilege to configure Zabbix items
can use fu ...)
{DLA-3909-1}
- zabbix 1:6.0.23+dfsg-1
+ [bookworm] - zabbix <ignored> (The WEB UI is only supported for access
by trusted users, no security updates issued for it, #1124558)
[buster] - zabbix <not-affected> (Vulnerable code introduced later)
NOTE: https://support.zabbix.com/browse/ZBX-23857
NOTE:
https://github.com/zabbix/zabbix/commit/93e090592fc6de7ec5d3d42c1bb9074ad1f3ba34
(6.0.23rc1)
@@ -242351,10 +242362,12 @@ CVE-2023-32727 (An attacker who has the privilege
to configure Zabbix items can
CVE-2023-32726 (The vulnerability is caused by improper check for check if
RDLENGTH do ...)
{DLA-3909-1 DLA-3717-1}
- zabbix 1:6.0.24+dfsg-1
+ [bookworm] - zabbix <no-dsa> (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-23855
NOTE:
https://github.com/zabbix/zabbix/commit/53ef2b7119f57f4140e6bd9c5cd2d3c6af228179
(6.0.24rc1)
CVE-2023-32725 (The website configured in the URL widget will receive a
session cookie ...)
- zabbix 1:6.0.23+dfsg-1
+ [bookworm] - zabbix <ignored> (The WEB UI is only supported for access
by trusted users, no security updates issued for it, #1124558)
[bullseye] - zabbix <not-affected> (Vulnerable code not present)
[buster] - zabbix <not-affected> (vulnerable code introduced later)
NOTE: https://support.zabbix.com/browse/ZBX-23854
@@ -254400,6 +254413,7 @@ CVE-2023-3781 (there is a possible use-after-free
write due to improper locking.
CVE-2023-32724 (Memory pointer is in a property of the Ducktape object. This
leads to ...)
{DLA-3909-1}
- zabbix 1:6.0.23+dfsg-1 (bug #1053877)
+ [bookworm] - zabbix <ignored> (The WEB UI is only supported for access
by trusted users, no security updates issued for it, #1124558)
[buster] - zabbix <not-affected> (vulnerable code introduced later)
NOTE: https://support.zabbix.com/browse/ZBX-23391
NOTE:
https://github.com/zabbix/zabbix/commit/7266d0ac709b68ccb4d69d28253488670b8b4eb7
(release/5.0)
@@ -280763,7 +280777,7 @@ CVE-2023-29457 (Reflected XSS attacks, occur when a
malicious script is reflecte
CVE-2023-29456 (URL validation scheme receives input from a user and then
parses it to ...)
{DLA-3909-1 DLA-3538-1}
- zabbix 1:6.0.23+dfsg-1 (bug #1055175)
- [bookworm] - zabbix <no-dsa> (Minor issue)
+ [bookworm] - zabbix <ignored> (The WEB UI is only supported for access
by trusted users, no security updates issued for it, #1124558)
NOTE: https://support.zabbix.com/browse/ZBX-22987
CVE-2023-29455 (Reflected XSS attacks, also known as non-persistent attacks,
occur whe ...)
{DLA-3909-1 DLA-3538-1}
@@ -280781,7 +280795,7 @@ CVE-2023-29453 (Templates do not properly consider
backticks (`) as Javascript s
NOTE: Zabbix in bullseye does not build the GO Agent2.
CVE-2023-29452 (Currently, geomap configuration (Administration -> General ->
Geograph ...)
- zabbix 1:6.0.23+dfsg-1 (bug #1055175)
- [bookworm] - zabbix <no-dsa> (Minor issue)
+ [bookworm] - zabbix <ignored> (The WEB UI is only supported for access
by trusted users, no security updates issued for it, #1124558)
[bullseye] - zabbix <not-affected> (vulnerable code introduced later)
[buster] - zabbix <not-affected> (vulnerable code introduced later)
NOTE: https://support.zabbix.com/browse/ZBX-22981
@@ -280796,14 +280810,14 @@ CVE-2023-29451 (Specially crafted string can cause
a buffer overrun in the JSON
CVE-2023-29450 (JavaScript pre-processing can be used by the attacker to gain
access t ...)
{DLA-3909-1 DLA-3538-1}
- zabbix 1:6.0.23+dfsg-1 (bug #1055175)
- [bookworm] - zabbix <no-dsa> (Minor issue)
+ [bookworm] - zabbix <ignored> (The WEB UI is only supported for access
by trusted users, no security updates issued for it, #1124558)
NOTE: https://support.zabbix.com/browse/ZBX-22588
NOTE: Patch for 5.0.32rc1:
https://github.com/zabbix/zabbix/commit/c3f1543e4
NOTE: Patch for 6.0.14rc2:
https://github.com/zabbix/zabbix/commit/76f6a80cb
CVE-2023-29449 (JavaScript preprocessing, webhooks and global scripts can
cause uncont ...)
{DLA-3909-1}
- zabbix 1:6.0.23+dfsg-1 (bug #1055175)
- [bookworm] - zabbix <no-dsa> (Minor issue)
+ [bookworm] - zabbix <ignored> (The WEB UI is only supported for access
by trusted users, no security updates issued for it, #1124558)
[buster] - zabbix <not-affected> (vulnerable code introduced later)
NOTE: https://support.zabbix.com/browse/ZBX-22589
NOTE: Upstream patch for 5.0.32:
https://github.com/zabbix/zabbix/commit/e90b8a3c62
=====================================
data/dsa-needed.txt
=====================================
@@ -87,5 +87,3 @@ wireshark (jmm)
--
xrdp (carnil)
---
-zabbix/oldstable
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5cdaf14974ff4e1e7353e2898412680848d308b1
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5cdaf14974ff4e1e7353e2898412680848d308b1
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
