Debian Package Tracker

general

source: zabbix (main)
version: 1:5.0.0+dfsg-1
maintainer: Dmitry Smirnov (DMD)
uploaders: Christoph Haas [DMD]
arch: all any
std-ver: 4.5.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1:2.2.7+dfsg-2+deb8u3
o-o-sec: 1:2.2.23+dfsg-0+deb8u1
oldstable: 1:3.0.7+dfsg-3
old-bpo: 1:4.0.3+dfsg-2~bpo9+1
stable: 1:4.0.4+dfsg-1
stable-bpo: 1:5.0.0+dfsg-1~bpo10+1
testing: 1:5.0.0+dfsg-1
unstable: 1:5.0.0+dfsg-1

versioned links

1:2.2.7+dfsg-2+deb8u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:2.2.23+dfsg-0+deb8u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:3.0.7+dfsg-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:4.0.3+dfsg-2~bpo9+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:4.0.4+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:5.0.0+dfsg-1~bpo10+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:5.0.0+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

zabbix-agent (2 bugs: 0, 1, 1, 0)
zabbix-frontend-php (3 bugs: 0, 2, 1, 0)
zabbix-java-gateway
zabbix-proxy-mysql (1 bugs: 0, 0, 1, 0)
zabbix-proxy-pgsql
zabbix-proxy-sqlite3
zabbix-server-mysql (2 bugs: 0, 0, 2, 0)
zabbix-server-pgsql

action needed

A new upstream version is available: 5.0.1 high

A new upstream version 5.0.1 is available, you should consider packaging it.

Created: 2020-05-26 Last update: 2020-05-26 17:02

4 security issues in bullseye high

There are 4 open security issues in bullseye.

4 important issues:

CVE-2019-15132: Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php.
CVE-2017-2826: An information disclosure vulnerability exists in the iConfig proxy request of Zabbix server 2.4.X. A specially crafted iConfig proxy request can cause the Zabbix server to send the configuration information of any Zabbix proxy, resulting in information disclosure. An attacker can make requests from an active Zabbix proxy to trigger this vulnerability.
CVE-2019-17382: An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin.
CVE-2013-7484: Zabbix before 5.0 represents passwords in the users table with unsalted MD5.

Please fix them.

Created: 2019-07-07 Last update: 2020-05-19 08:30

4 security issues in sid high

There are 4 open security issues in sid.

4 important issues:

CVE-2019-15132: Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php.
CVE-2017-2826: An information disclosure vulnerability exists in the iConfig proxy request of Zabbix server 2.4.X. A specially crafted iConfig proxy request can cause the Zabbix server to send the configuration information of any Zabbix proxy, resulting in information disclosure. An attacker can make requests from an active Zabbix proxy to trigger this vulnerability.
CVE-2019-17382: An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin.
CVE-2013-7484: Zabbix before 5.0 represents passwords in the users table with unsalted MD5.

Please fix them.

Created: 2018-04-19 Last update: 2020-05-19 08:30

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2018-09-11 Last update: 2020-05-26 17:07

Depends on packages which need a new maintainer normal

The packages that zabbix depends on which need a new maintainer are:

prototypejs (#863697)
- Build-Depends: libjs-prototype

Created: 2019-11-22 Last update: 2020-05-26 17:06

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 1:5.0.1+dfsg-1, distribution unstable) and new commits in its VCS. You should consider whether it's time to make an upload.

https://salsa.debian.org/api/v4/projects/debian%2Fzabbix/pipelines?scope=finished&per_page=1 API request failed: 403 Forbidden at /srv/qa.debian.org/data/vcswatch/vcswatch line 402.

Created: 2020-05-26 Last update: 2020-05-26 16:35

4 ignored security issues in buster low

There are 4 open security issues in buster.

4 issues skipped by the security teams:

CVE-2019-15132: Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php.
CVE-2017-2826: An information disclosure vulnerability exists in the iConfig proxy request of Zabbix server 2.4.X. A specially crafted iConfig proxy request can cause the Zabbix server to send the configuration information of any Zabbix proxy, resulting in information disclosure. An attacker can make requests from an active Zabbix proxy to trigger this vulnerability.
CVE-2019-17382: An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin.
CVE-2013-7484: Zabbix before 5.0 represents passwords in the users table with unsalted MD5.

Please fix them.

Created: 2018-04-19 Last update: 2020-05-19 08:30

3 ignored security issues in jessie low

There are 3 open security issues in jessie.

3 issues skipped by the security teams:

CVE-2019-15132: Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php.
CVE-2019-17382: An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin.
CVE-2013-7484: Zabbix before 5.0 represents passwords in the users table with unsalted MD5.

Please fix them.

Created: 2019-08-18 Last update: 2020-05-19 08:30

5 ignored security issues in stretch low

There are 5 open security issues in stretch.

5 issues skipped by the security teams:

CVE-2019-15132: Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php.
CVE-2017-2826: An information disclosure vulnerability exists in the iConfig proxy request of Zabbix server 2.4.X. A specially crafted iConfig proxy request can cause the Zabbix server to send the configuration information of any Zabbix proxy, resulting in information disclosure. An attacker can make requests from an active Zabbix proxy to trigger this vulnerability.
CVE-2019-17382: An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin.
CVE-2016-10742: Zabbix before 2.2.21rc1, 3.x before 3.0.13rc1, 3.1.x and 3.2.x before 3.2.10rc1, and 3.3.x and 3.4.x before 3.4.4rc1 allows open redirect via the request parameter.
CVE-2013-7484: Zabbix before 5.0 represents passwords in the users table with unsalted MD5.

Please fix them.

Created: 2018-04-13 Last update: 2020-05-19 08:30

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2020-05-14 Last update: 2020-05-14 14:03

news

[rss feed]

[2020-05-26] Accepted zabbix 1:5.0.1+dfsg-1 (source) into unstable (Dmitry Smirnov)
[2020-05-19] zabbix 1:5.0.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2020-05-19] Accepted zabbix 1:5.0.0+dfsg-1~bpo10+1 (source) into buster-backports (Dmitry Smirnov)
[2020-05-14] Accepted zabbix 1:5.0.0+dfsg-1 (source) into unstable (Dmitry Smirnov)
[2020-04-11] zabbix 1:4.0.19+dfsg-1 MIGRATED to testing (Debian testing watch)
[2020-04-06] Accepted zabbix 1:4.0.19+dfsg-1 (source) into unstable (Dmitry Smirnov)
[2020-03-04] zabbix 1:4.0.18+dfsg-1 MIGRATED to testing (Debian testing watch)
[2020-03-04] Accepted zabbix 1:4.0.18+dfsg-1~bpo10+1 (source) into buster-backports (Dmitry Smirnov)
[2020-02-28] Accepted zabbix 1:4.0.18+dfsg-1 (source) into unstable (Dmitry Smirnov)
[2020-02-09] zabbix 1:4.0.17+dfsg-1 MIGRATED to testing (Debian testing watch)
[2020-02-04] Accepted zabbix 1:4.0.17+dfsg-1 (source) into unstable (Dmitry Smirnov)
[2019-12-29] Accepted zabbix 1:4.0.16+dfsg-1~bpo10+1 (source) into buster-backports (Dmitry Smirnov)
[2019-12-29] zabbix 1:4.0.16+dfsg-1 MIGRATED to testing (Debian testing watch)
[2019-12-24] Accepted zabbix 1:4.0.16+dfsg-1 (source) into unstable (Dmitry Smirnov)
[2019-12-24] Accepted zabbix 1:4.0.15+dfsg-1~bpo10+1 (source) into buster-backports (Dmitry Smirnov)
[2019-12-06] zabbix 1:4.0.15+dfsg-1 MIGRATED to testing (Debian testing watch)
[2019-12-02] Accepted zabbix 1:4.0.14+dfsg-1~bpo10+1 (source amd64 all) into buster-backports, buster-backports (Dmitry Smirnov)
[2019-11-29] Accepted zabbix 1:4.0.15+dfsg-1 (source) into unstable (Dmitry Smirnov)
[2019-11-22] zabbix 1:4.0.14+dfsg-1 MIGRATED to testing (Debian testing watch)
[2019-11-17] Accepted zabbix 1:4.0.14+dfsg-1 (source) into unstable (Dmitry Smirnov)
[2019-09-04] zabbix 1:4.0.11+dfsg-1 MIGRATED to testing (Debian testing watch)
[2019-08-30] Accepted zabbix 1:4.0.11+dfsg-1 (source) into unstable (Dmitry Smirnov)
[2019-03-11] Accepted zabbix 1:2.2.23+dfsg-0+deb8u1 (source amd64 all) into oldstable (Markus Koschany)
[2019-02-11] zabbix 1:4.0.4+dfsg-1 MIGRATED to testing (Debian testing watch)
[2019-02-06] Accepted zabbix 1:4.0.4+dfsg-1 (source amd64 all) into unstable (Dmitry Smirnov)
[2019-01-22] zabbix 1:4.0.3+dfsg-2 MIGRATED to testing (Debian testing watch)
[2019-01-22] Accepted zabbix 1:4.0.3+dfsg-2~bpo9+1 (source amd64 all) into stretch-backports (Dmitry Smirnov)
[2019-01-17] Accepted zabbix 1:4.0.3+dfsg-2 (source amd64 all) into unstable (Dmitry Smirnov)
[2018-12-31] zabbix 1:4.0.3+dfsg-1 MIGRATED to testing (Debian testing watch)
[2018-12-24] Accepted zabbix 1:4.0.3+dfsg-1 (source amd64 all) into unstable (Dmitry Smirnov)

bugs [bug history graph]

all: 11
RC: 0
I&N: 4
M&W: 7
F&P: 0
patch: 0

links

homepage
buildd: logs, checks, clang, reproducibility, cross
popcon
browse source code
edit tags
security tracker
l10n (-, 60)

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1:5.0.0+dfsg-1
70 bugs (1 patch)