Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Affects: -1 zabbix X-Debbugs-CC: jmm@debian.org Please unblock zabbix/1:3.0.7+dfsg-3 I would like to accommodate two attached diffs to Stretch please. One fixes defunctional UI (broken by incompatible libjs-jquery) and another fixes two security vulnerabilities as per #863584. Thanks. -- All the best, Dmitry Smirnov.
Attachment:
signature.asc
Description: This is a digitally signed message part.
diff --git a/debian/changelog b/debian/changelog index d570c6d..755bc59 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +zabbix (1:3.0.7+dfsg-2) unstable; urgency=medium + + * Frontend-PHP: switch to private jQuery (Closes: #857287). + + -- Dmitry Smirnov <onlyjob@debian.org> Sun, 21 May 2017 13:56:56 +1000 + zabbix (1:3.0.7+dfsg-1) unstable; urgency=medium * New upstream release [December 2016]. diff --git a/debian/control b/debian/control index d989f84..c0f275f 100644 --- a/debian/control +++ b/debian/control @@ -21,7 +21,7 @@ Build-Depends: debhelper (>= 9), automake, dh-autoreconf, dh-systemd (>= 1.5), d ## dh-linktree: ,libjs-prototype ,libjs-jquery-ui (>= 1.10.1) - ,libjs-jquery (>= 1.10.1) +# ,libjs-jquery (>= 1.10.1) ## java-gateway deps: ,javahelper Build-Depends-Indep: default-jdk diff --git a/debian/zabbix-frontend-php.linktrees b/debian/zabbix-frontend-php.linktrees index 7308d0c..9dc6cc8 100644 --- a/debian/zabbix-frontend-php.linktrees +++ b/debian/zabbix-frontend-php.linktrees @@ -4,5 +4,5 @@ replace /usr/share/javascript/prototype/prototype.js /usr/share/zabbix/js/vend ## libjs-jquery-ui (1.10.1 vs 1.10.3) replace /usr/share/javascript/jquery-ui/jquery-ui.js /usr/share/zabbix/js/vendors/jquery-ui.js -## libjs-jquery (1.11.3 vs 1.10.2) -replace /usr/share/javascript/jquery/jquery.js /usr/share/zabbix/js/vendors/jquery.js +## libjs-jquery (3.1.1 vs 1.10.2) +#replace /usr/share/javascript/jquery/jquery.js /usr/share/zabbix/js/vendors/jquery.js
diff --git a/debian/changelog b/debian/changelog index 755bc59..d1c4c64 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +zabbix (1:3.0.7+dfsg-3) unstable; urgency=high + + * CVE-2017-2824, CVE-2017-2825: new upstream patches + "ZBX-12075_r67082.patch", "ZBX-12075_r67270.patch" (Closes: #863584). + + -- Dmitry Smirnov <onlyjob@debian.org> Sun, 04 Jun 2017 17:14:06 +1000 + zabbix (1:3.0.7+dfsg-2) unstable; urgency=medium * Frontend-PHP: switch to private jQuery (Closes: #857287). diff --git a/debian/patches/ZBX-12075_r67082.patch b/debian/patches/ZBX-12075_r67082.patch new file mode 100644 index 0000000..59bf622 --- /dev/null +++ b/debian/patches/ZBX-12075_r67082.patch @@ -0,0 +1,44 @@ +Bug-Upstream: https://support.zabbix.com/browse/ZBX-12075 +From 089f0d90b3d94c577263e8bdfe08ce3f33f9e178 Mon Sep 17 00:00:00 2001 +Origin: upstream +Date: Wed, 5 Apr 2017 15:31:59 +0000 +Subject: [DEV-567] added validation of discovered host IP addresses + +--- a/src/libs/zbxcommon/misc.c ++++ b/src/libs/zbxcommon/misc.c +@@ -1872,17 +1872,9 @@ + * * + ******************************************************************************/ + int is_ip(const char *ip) + { +- zabbix_log(LOG_LEVEL_DEBUG, "In is_ip() ip:'%s'", ip); +- +- if (SUCCEED == is_ip4(ip)) +- return SUCCEED; +-#if defined(HAVE_IPV6) +- if (SUCCEED == is_ip6(ip)) +- return SUCCEED; +-#endif +- return FAIL; ++ return SUCCEED == is_ip4(ip) ? SUCCEED : is_ip6(ip); + } + + /****************************************************************************** + * * +--- a/src/libs/zbxdbhigh/proxy.c ++++ b/src/libs/zbxdbhigh/proxy.c +@@ -2561,8 +2561,14 @@ + + if (FAIL == zbx_json_value_by_name(&jp_row, ZBX_PROTO_TAG_IP, ip, sizeof(ip))) + goto json_parse_error; + ++ if (SUCCEED != is_ip(ip)) ++ { ++ zabbix_log(LOG_LEVEL_DEBUG, "\"%s\" is not a valid IP address", ip); ++ goto next; ++ } ++ + if (SUCCEED == zbx_json_value_by_name(&jp_row, ZBX_PROTO_TAG_PORT, tmp, sizeof(tmp))) + port = atoi(tmp); + + zbx_json_value_by_name(&jp_row, ZBX_PROTO_TAG_KEY, key_, sizeof(key_)); diff --git a/debian/patches/ZBX-12075_r67270.patch b/debian/patches/ZBX-12075_r67270.patch new file mode 100644 index 0000000..10a403c --- /dev/null +++ b/debian/patches/ZBX-12075_r67270.patch @@ -0,0 +1,93 @@ +Bug-Upstream: https://support.zabbix.com/browse/ZBX-12075 +From 17a159950db846a1c6365027c647b25a4bb02b94 Mon Sep 17 00:00:00 2001 +Origin: upstream +Date: Wed, 12 Apr 2017 06:17:40 +0000 +Subject: [DEV-567] resurrected old IP check function to check SourceIP config file parameter taking into account IPv6 support enabled/disabled at compile time + +--- a/include/common.h ++++ b/include/common.h +@@ -981,8 +981,9 @@ + #ifdef HAVE_IPV6 + int is_ip6(const char *ip); + #endif + int is_ip4(const char *ip); ++int is_supported_ip(const char *ip); + int is_ip(const char *ip); + + void zbx_on_exit(void); /* calls exit() at the end! */ + +--- a/src/libs/zbxcommon/misc.c ++++ b/src/libs/zbxcommon/misc.c +@@ -1858,8 +1858,33 @@ + #endif /*HAVE_IPV6*/ + + /****************************************************************************** + * * ++ * Function: is_supported_ip * ++ * * ++ * Purpose: is string IP address of supported version * ++ * * ++ * Parameters: ip - string * ++ * * ++ * Return value: SUCCEED - is IP address * ++ * FAIL - otherwise * ++ * * ++ * Author: Alexander Vladishev * ++ * * ++ ******************************************************************************/ ++int is_supported_ip(const char *ip) ++{ ++ if (SUCCEED == is_ip4(ip)) ++ return SUCCEED; ++#ifdef HAVE_IPV6 ++ if (SUCCEED == is_ip6(ip)) ++ return SUCCEED; ++#endif ++ return FAIL; ++} ++ ++/****************************************************************************** ++ * * + * Function: is_ip * + * * + * Purpose: is string IP address * + * * +--- a/src/zabbix_agent/zabbix_agentd.c ++++ b/src/zabbix_agent/zabbix_agentd.c +@@ -573,9 +573,9 @@ + zabbix_log(LOG_LEVEL_CRIT, "either active or passive checks must be enabled"); + err = 1; + } + +- if (NULL != CONFIG_SOURCE_IP && ('\0' == *CONFIG_SOURCE_IP || SUCCEED != is_ip(CONFIG_SOURCE_IP))) ++ if (NULL != CONFIG_SOURCE_IP && SUCCEED != is_supported_ip(CONFIG_SOURCE_IP)) + { + zabbix_log(LOG_LEVEL_CRIT, "invalid \"SourceIP\" configuration parameter: '%s'", CONFIG_SOURCE_IP); + err = 1; + } +--- a/src/zabbix_proxy/proxy.c ++++ b/src/zabbix_proxy/proxy.c +@@ -472,9 +472,9 @@ + " This parameter is mandatory for active proxies."); + err = 1; + } + +- if (NULL != CONFIG_SOURCE_IP && ('\0' == *CONFIG_SOURCE_IP || SUCCEED != is_ip(CONFIG_SOURCE_IP))) ++ if (NULL != CONFIG_SOURCE_IP && SUCCEED != is_supported_ip(CONFIG_SOURCE_IP)) + { + zabbix_log(LOG_LEVEL_CRIT, "invalid \"SourceIP\" configuration parameter: '%s'", CONFIG_SOURCE_IP); + err = 1; + } +--- a/src/zabbix_server/server.c ++++ b/src/zabbix_server/server.c +@@ -437,9 +437,9 @@ + " or greater than 128KB"); + err = 1; + } + +- if (NULL != CONFIG_SOURCE_IP && ('\0' == *CONFIG_SOURCE_IP || SUCCEED != is_ip(CONFIG_SOURCE_IP))) ++ if (NULL != CONFIG_SOURCE_IP && SUCCEED != is_supported_ip(CONFIG_SOURCE_IP)) + { + zabbix_log(LOG_LEVEL_CRIT, "invalid \"SourceIP\" configuration parameter: '%s'", CONFIG_SOURCE_IP); + err = 1; + } diff --git a/debian/patches/series b/debian/patches/series index 72e0c30..2863da6 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,5 @@ +ZBX-12075_r67082.patch +ZBX-12075_r67270.patch config_debianisation.patch config_frontend-conffile-in-etc.patch gettext.patch