Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Affects: -1 zabbix X-Debbugs-CC: jmm@debian.org Please unblock zabbix/1:3.0.7+dfsg-3 I would like to accommodate two attached diffs to Stretch please. One fixes defunctional UI (broken by incompatible libjs-jquery) and another fixes two security vulnerabilities as per #863584. Thanks. -- All the best, Dmitry Smirnov.
Attachment:
signature.asc
Description: This is a digitally signed message part.
diff --git a/debian/changelog b/debian/changelog
index d570c6d..755bc59 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+zabbix (1:3.0.7+dfsg-2) unstable; urgency=medium
+
+ * Frontend-PHP: switch to private jQuery (Closes: #857287).
+
+ -- Dmitry Smirnov <onlyjob@debian.org> Sun, 21 May 2017 13:56:56 +1000
+
zabbix (1:3.0.7+dfsg-1) unstable; urgency=medium
* New upstream release [December 2016].
diff --git a/debian/control b/debian/control
index d989f84..c0f275f 100644
--- a/debian/control
+++ b/debian/control
@@ -21,7 +21,7 @@ Build-Depends: debhelper (>= 9), automake, dh-autoreconf, dh-systemd (>= 1.5), d
## dh-linktree:
,libjs-prototype
,libjs-jquery-ui (>= 1.10.1)
- ,libjs-jquery (>= 1.10.1)
+# ,libjs-jquery (>= 1.10.1)
## java-gateway deps:
,javahelper
Build-Depends-Indep: default-jdk
diff --git a/debian/zabbix-frontend-php.linktrees b/debian/zabbix-frontend-php.linktrees
index 7308d0c..9dc6cc8 100644
--- a/debian/zabbix-frontend-php.linktrees
+++ b/debian/zabbix-frontend-php.linktrees
@@ -4,5 +4,5 @@ replace /usr/share/javascript/prototype/prototype.js /usr/share/zabbix/js/vend
## libjs-jquery-ui (1.10.1 vs 1.10.3)
replace /usr/share/javascript/jquery-ui/jquery-ui.js /usr/share/zabbix/js/vendors/jquery-ui.js
-## libjs-jquery (1.11.3 vs 1.10.2)
-replace /usr/share/javascript/jquery/jquery.js /usr/share/zabbix/js/vendors/jquery.js
+## libjs-jquery (3.1.1 vs 1.10.2)
+#replace /usr/share/javascript/jquery/jquery.js /usr/share/zabbix/js/vendors/jquery.js
diff --git a/debian/changelog b/debian/changelog
index 755bc59..d1c4c64 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+zabbix (1:3.0.7+dfsg-3) unstable; urgency=high
+
+ * CVE-2017-2824, CVE-2017-2825: new upstream patches
+ "ZBX-12075_r67082.patch", "ZBX-12075_r67270.patch" (Closes: #863584).
+
+ -- Dmitry Smirnov <onlyjob@debian.org> Sun, 04 Jun 2017 17:14:06 +1000
+
zabbix (1:3.0.7+dfsg-2) unstable; urgency=medium
* Frontend-PHP: switch to private jQuery (Closes: #857287).
diff --git a/debian/patches/ZBX-12075_r67082.patch b/debian/patches/ZBX-12075_r67082.patch
new file mode 100644
index 0000000..59bf622
--- /dev/null
+++ b/debian/patches/ZBX-12075_r67082.patch
@@ -0,0 +1,44 @@
+Bug-Upstream: https://support.zabbix.com/browse/ZBX-12075
+From 089f0d90b3d94c577263e8bdfe08ce3f33f9e178 Mon Sep 17 00:00:00 2001
+Origin: upstream
+Date: Wed, 5 Apr 2017 15:31:59 +0000
+Subject: [DEV-567] added validation of discovered host IP addresses
+
+--- a/src/libs/zbxcommon/misc.c
++++ b/src/libs/zbxcommon/misc.c
+@@ -1872,17 +1872,9 @@
+ * *
+ ******************************************************************************/
+ int is_ip(const char *ip)
+ {
+- zabbix_log(LOG_LEVEL_DEBUG, "In is_ip() ip:'%s'", ip);
+-
+- if (SUCCEED == is_ip4(ip))
+- return SUCCEED;
+-#if defined(HAVE_IPV6)
+- if (SUCCEED == is_ip6(ip))
+- return SUCCEED;
+-#endif
+- return FAIL;
++ return SUCCEED == is_ip4(ip) ? SUCCEED : is_ip6(ip);
+ }
+
+ /******************************************************************************
+ * *
+--- a/src/libs/zbxdbhigh/proxy.c
++++ b/src/libs/zbxdbhigh/proxy.c
+@@ -2561,8 +2561,14 @@
+
+ if (FAIL == zbx_json_value_by_name(&jp_row, ZBX_PROTO_TAG_IP, ip, sizeof(ip)))
+ goto json_parse_error;
+
++ if (SUCCEED != is_ip(ip))
++ {
++ zabbix_log(LOG_LEVEL_DEBUG, "\"%s\" is not a valid IP address", ip);
++ goto next;
++ }
++
+ if (SUCCEED == zbx_json_value_by_name(&jp_row, ZBX_PROTO_TAG_PORT, tmp, sizeof(tmp)))
+ port = atoi(tmp);
+
+ zbx_json_value_by_name(&jp_row, ZBX_PROTO_TAG_KEY, key_, sizeof(key_));
diff --git a/debian/patches/ZBX-12075_r67270.patch b/debian/patches/ZBX-12075_r67270.patch
new file mode 100644
index 0000000..10a403c
--- /dev/null
+++ b/debian/patches/ZBX-12075_r67270.patch
@@ -0,0 +1,93 @@
+Bug-Upstream: https://support.zabbix.com/browse/ZBX-12075
+From 17a159950db846a1c6365027c647b25a4bb02b94 Mon Sep 17 00:00:00 2001
+Origin: upstream
+Date: Wed, 12 Apr 2017 06:17:40 +0000
+Subject: [DEV-567] resurrected old IP check function to check SourceIP config file parameter taking into account IPv6 support enabled/disabled at compile time
+
+--- a/include/common.h
++++ b/include/common.h
+@@ -981,8 +981,9 @@
+ #ifdef HAVE_IPV6
+ int is_ip6(const char *ip);
+ #endif
+ int is_ip4(const char *ip);
++int is_supported_ip(const char *ip);
+ int is_ip(const char *ip);
+
+ void zbx_on_exit(void); /* calls exit() at the end! */
+
+--- a/src/libs/zbxcommon/misc.c
++++ b/src/libs/zbxcommon/misc.c
+@@ -1858,8 +1858,33 @@
+ #endif /*HAVE_IPV6*/
+
+ /******************************************************************************
+ * *
++ * Function: is_supported_ip *
++ * *
++ * Purpose: is string IP address of supported version *
++ * *
++ * Parameters: ip - string *
++ * *
++ * Return value: SUCCEED - is IP address *
++ * FAIL - otherwise *
++ * *
++ * Author: Alexander Vladishev *
++ * *
++ ******************************************************************************/
++int is_supported_ip(const char *ip)
++{
++ if (SUCCEED == is_ip4(ip))
++ return SUCCEED;
++#ifdef HAVE_IPV6
++ if (SUCCEED == is_ip6(ip))
++ return SUCCEED;
++#endif
++ return FAIL;
++}
++
++/******************************************************************************
++ * *
+ * Function: is_ip *
+ * *
+ * Purpose: is string IP address *
+ * *
+--- a/src/zabbix_agent/zabbix_agentd.c
++++ b/src/zabbix_agent/zabbix_agentd.c
+@@ -573,9 +573,9 @@
+ zabbix_log(LOG_LEVEL_CRIT, "either active or passive checks must be enabled");
+ err = 1;
+ }
+
+- if (NULL != CONFIG_SOURCE_IP && ('\0' == *CONFIG_SOURCE_IP || SUCCEED != is_ip(CONFIG_SOURCE_IP)))
++ if (NULL != CONFIG_SOURCE_IP && SUCCEED != is_supported_ip(CONFIG_SOURCE_IP))
+ {
+ zabbix_log(LOG_LEVEL_CRIT, "invalid \"SourceIP\" configuration parameter: '%s'", CONFIG_SOURCE_IP);
+ err = 1;
+ }
+--- a/src/zabbix_proxy/proxy.c
++++ b/src/zabbix_proxy/proxy.c
+@@ -472,9 +472,9 @@
+ " This parameter is mandatory for active proxies.");
+ err = 1;
+ }
+
+- if (NULL != CONFIG_SOURCE_IP && ('\0' == *CONFIG_SOURCE_IP || SUCCEED != is_ip(CONFIG_SOURCE_IP)))
++ if (NULL != CONFIG_SOURCE_IP && SUCCEED != is_supported_ip(CONFIG_SOURCE_IP))
+ {
+ zabbix_log(LOG_LEVEL_CRIT, "invalid \"SourceIP\" configuration parameter: '%s'", CONFIG_SOURCE_IP);
+ err = 1;
+ }
+--- a/src/zabbix_server/server.c
++++ b/src/zabbix_server/server.c
+@@ -437,9 +437,9 @@
+ " or greater than 128KB");
+ err = 1;
+ }
+
+- if (NULL != CONFIG_SOURCE_IP && ('\0' == *CONFIG_SOURCE_IP || SUCCEED != is_ip(CONFIG_SOURCE_IP)))
++ if (NULL != CONFIG_SOURCE_IP && SUCCEED != is_supported_ip(CONFIG_SOURCE_IP))
+ {
+ zabbix_log(LOG_LEVEL_CRIT, "invalid \"SourceIP\" configuration parameter: '%s'", CONFIG_SOURCE_IP);
+ err = 1;
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 72e0c30..2863da6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,5 @@
+ZBX-12075_r67082.patch
+ZBX-12075_r67270.patch
config_debianisation.patch
config_frontend-conffile-in-etc.patch
gettext.patch