[SECURITY] [DLA 4131-1] zabbix security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4131-1] zabbix security update
From: Tobias Frost <tobi@debian.org>
Date: Sat, 19 Apr 2025 16:14:41 +0200
Message-id: <[🔎] aAOv0SQpAzPh1zN2@isildor2.loewenhoehle.ip>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4131-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                         Tobias Frost
April 19, 2025                                https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : zabbix
Version        : 1:5.0.46+dfsg-1+deb11u1
CVE ID         : CVE-2024-36469 CVE-2024-42325 CVE-2024-45699 CVE-2024-45700
Debian Bug     : 

Several security vulnerabilities have been discovered in zabbix, a
network monitoring solution, potentially among other effects allowing
denial of service, information disclosure or remote code inclusion.

CVE-2024-36469

    Execution time for an unsuccessful login differs when using a
    non-existing username compared to using an existing one.

CVE-2024-42325

    Zabbix API user.get returns all users that share common group with the
    calling user. This includes media and other information, such as login
    attempts, etc.

CVE-2024-45699

    The endpoint /zabbix.php?action=export.valuemaps suffers from a
    Cross-Site Scripting vulnerability via the backurl parameter. This is
    caused by the reflection of user-supplied data without appropriate HTML
    escaping or output encoding. As a result, a JavaScript payload may be
    injected into the above endpoint causing it to be executed within the
    context of the victim's browser.

CVE-2024-45700

    Zabbix server is vulnerable to a DoS vulnerability due to uncontrolled
    resource exhaustion. An attacker can send specially crafted requests to
    the server, which will cause the server to allocate an excessive amount
    of memory and perform CPU-intensive decompression operations, ultimately
    leading to a service crash.
    
For Debian 11 bullseye, these problems have been fixed in version
1:5.0.46+dfsg-1+deb11u1.

We recommend that you upgrade your zabbix packages.

For the detailed security status of zabbix please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/zabbix

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: [SECURITY] [DLA 4130-1] shadow security update
Next by Date: [SECURITY] [DLA 4132-1] erlang security update
Previous by thread: [SECURITY] [DLA 4130-1] shadow security update
Next by thread: [SECURITY] [DLA 4132-1] erlang security update
Index(es):
- Date
- Thread