Your message dated Sat, 17 Sep 2016 13:08:06 +0100 with message-id <1474114086.2011.126.camel@adam-barratt.org.uk> and subject line Closing p-u bugs for updates in 8.6 has caused the Debian Bug report #826443, regarding jessie-pu: package zabbix/1:2.2.7+dfsg-2+deb8u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 826443: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826443 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: jessie-pu: package zabbix/1:2.2.7+dfsg-2+deb8u1
- From: Dmitry Smirnov <onlyjob@debian.org>
- Date: Mon, 06 Jun 2016 01:45:09 +1000
- Message-id: <2127059.0gk8eUgMkr@deblab>
Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu Control: affects -1 zabbix Dear release team, I'd like to upload fix for CVE-2016-4338 / ZBX-10741: mysql.size shell command injection in zabbix-agent (Closes: #823329). Diff is attached, please advise if upload is authorised. Thanks. -- Best wishes, Dmitry Smirnov. --- Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -- Mahatma GandhiAttachment: signature.asc
Description: This is a digitally signed message part.>From 2ffd39e5afbee52833e911f869df975a904b48f1 Mon Sep 17 00:00:00 2001 From: Dmitry Smirnov <onlyjob@member.fsf.org> Date: Sat, 28 May 2016 17:35:08 +1000 Subject: [PATCH] Upstream patch to fix CVE-2016-4338: mysql.size shell command injection in zabbix-agent --- debian/changelog | 7 +++++++ debian/patches/ZBX-10741.patch | 21 +++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 29 insertions(+) create mode 100644 debian/patches/ZBX-10741.patch diff --git a/debian/changelog b/debian/changelog index b5d9188..9e6a32c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +zabbix (1:2.2.7+dfsg-2+deb8u1) stable; urgency=medium + + * CVE-2016-4338 / ZBX-10741: fixed mysql.size shell command injection + in zabbix-agent (Closes: #823329). + + -- Dmitry Smirnov <onlyjob@debian.org> Sat, 28 May 2016 17:04:31 +1000 + zabbix (1:2.2.7+dfsg-2) unstable; urgency=high * CVE-2014-9450 (ZBX-8582) fixed SQL injection vulnerability diff --git a/debian/patches/ZBX-10741.patch b/debian/patches/ZBX-10741.patch new file mode 100644 index 0000000..19b6716 --- /dev/null +++ b/debian/patches/ZBX-10741.patch @@ -0,0 +1,21 @@ +Last-Update: 2016-05-09 +Forwarded: not-needed +Origin: upstream, svn://svn.zabbix.com/branches/2.2@59942 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823329 +Bug-Zabbix: https://support.zabbix.com/browse/ZBX-10741 +Description: CVE-2016-4338 fix zabbix-agent/mysql.size shell command injection + enforced bash usage in mysql.size user parameter configuration script to + avoid issues with different default shells + +--- a/conf/zabbix_agentd/userparameter_mysql.conf ++++ b/conf/zabbix_agentd/userparameter_mysql.conf +@@ -11,8 +11,8 @@ + # Type may be "data", "index", "free" or "both". Both is a sum of data and index. Default is "both". + # Database is mandatory if a table is specified. Type may be specified always. + # Returns value in bytes. + # 'sum' on data_length or index_length alone needed when we are getting this information for whole database instead of a single table +-UserParameter=mysql.size[*],echo "select sum($(case "$3" in both|"") echo "data_length+index_length";; data|index) echo "$3_length";; free) echo "data_free";; esac)) from information_schema.tables$([[ "$1" = "all" || ! "$1" ]] || echo " where table_schema='$1'")$([[ "$2" = "all" || ! "$2" ]] || echo "and table_name='$2'");" | HOME=/var/lib/zabbix mysql -N ++UserParameter=mysql.size[*],bash -c 'echo "select sum($(case "$3" in both|"") echo "data_length+index_length";; data|index) echo "$3_length";; free) echo "data_free";; esac)) from information_schema.tables$([[ "$1" = "all" || ! "$1" ]] || echo " where table_schema=\"$1\"")$([[ "$2" = "all" || ! "$2" ]] || echo "and table_name=\"$2\"");" | HOME=/var/lib/zabbix mysql -N' + + UserParameter=mysql.ping,HOME=/var/lib/zabbix mysqladmin ping | grep -c alive + UserParameter=mysql.version,mysql -V diff --git a/debian/patches/series b/debian/patches/series index 0e81f68..d296cba 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ +ZBX-10741.patch ZBX-8582.patch config_debianisation.patch config_frontend-conffile-in-etc.patch -- 2.8.1
--- End Message ---
--- Begin Message ---
- To: 807654-done@bugs.debian.org, 823794-done@bugs.debian.org, 823911-done@bugs.debian.org, 824658-done@bugs.debian.org, 825512-done@bugs.debian.org, 825534-done@bugs.debian.org, 825699-done@bugs.debian.org, 826335-done@bugs.debian.org, 826348-done@bugs.debian.org, 826429-done@bugs.debian.org, 826443-done@bugs.debian.org, 826568-done@bugs.debian.org, 826607-done@bugs.debian.org, 826622-done@bugs.debian.org, 826662-done@bugs.debian.org, 826714-done@bugs.debian.org, 826829-done@bugs.debian.org, 827046-done@bugs.debian.org, 827054-done@bugs.debian.org, 827058-done@bugs.debian.org, 827111-done@bugs.debian.org, 827113-done@bugs.debian.org, 827288-done@bugs.debian.org, 827299-done@bugs.debian.org, 827352-done@bugs.debian.org, 827781-done@bugs.debian.org, 828177-done@bugs.debian.org, 828227-done@bugs.debian.org, 828630-done@bugs.debian.org, 829130-done@bugs.debian.org, 829135-done@bugs.debian.org, 829603-done@bugs.debian.org, 829650-done@bugs.debian.org, 829735-done@bugs.debian.org, 830221-done@bugs.debian.org, 830805-done@bugs.debian.org, 831335-done@bugs.debian.org, 831426-done@bugs.debian.org, 832004-done@bugs.debian.org, 832171-done@bugs.debian.org, 832296-done@bugs.debian.org, 832336-done@bugs.debian.org, 832477-done@bugs.debian.org, 832517-done@bugs.debian.org, 833345-done@bugs.debian.org, 833421-done@bugs.debian.org, 833433-done@bugs.debian.org, 833550-done@bugs.debian.org, 833575-done@bugs.debian.org, 833595-done@bugs.debian.org, 833634-done@bugs.debian.org, 834261-done@bugs.debian.org, 834326-done@bugs.debian.org, 834327-done@bugs.debian.org, 834419-done@bugs.debian.org, 834479-done@bugs.debian.org, 834480-done@bugs.debian.org, 834482-done@bugs.debian.org, 834483-done@bugs.debian.org, 834484-done@bugs.debian.org, 834745-done@bugs.debian.org, 835443-done@bugs.debian.org, 835444-done@bugs.debian.org, 835537-done@bugs.debian.org, 836157-done@bugs.debian.org, 836592-done@bugs.debian.org, 836700-done@bugs.debian.org, 836787-done@bugs.debian.org, 836866-done@bugs.debian.org, 836910-done@bugs.debian.org, 837296-done@bugs.debian.org, 837300-done@bugs.debian.org
- Subject: Closing p-u bugs for updates in 8.6
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 17 Sep 2016 13:08:06 +0100
- Message-id: <1474114086.2011.126.camel@adam-barratt.org.uk>
Version: 8.6 The updates referred to in each of these bugs were included in today's stable point release. Regards, Adam
--- End Message ---