zabbix - Debian Package Tracker

general

source: zabbix (main)
version: 1:5.0.8+dfsg-1
maintainer: Dmitry Smirnov (DMD)
uploaders: Christoph Haas [DMD]
arch: all any
std-ver: 4.5.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 1:3.0.7+dfsg-3
old-sec: 1:3.0.32+dfsg-0+deb9u1
old-bpo: 1:4.0.3+dfsg-2~bpo9+1
stable: 1:4.0.4+dfsg-1
stable-bpo: 1:5.0.8+dfsg-1~bpo10+1
testing: 1:5.0.8+dfsg-1
unstable: 1:5.0.8+dfsg-1

versioned links

1:3.0.7+dfsg-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:3.0.32+dfsg-0+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:4.0.3+dfsg-2~bpo9+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:4.0.4+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:5.0.8+dfsg-1~bpo10+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:5.0.8+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

zabbix-agent (3 bugs: 0, 1, 2, 0)
zabbix-frontend-php (3 bugs: 0, 2, 1, 0)
zabbix-java-gateway
zabbix-proxy-mysql (1 bugs: 0, 0, 1, 0)
zabbix-proxy-pgsql
zabbix-proxy-sqlite3
zabbix-server-mysql (2 bugs: 0, 0, 2, 0)
zabbix-server-pgsql

action needed

A new upstream version is available: 5.0.12 high

A new upstream version 5.0.12 is available, you should consider packaging it.

Created: 2021-02-25 Last update: 2021-06-13 10:34

4 security issues in stretch high

There are 4 open security issues in stretch.

1 important issue:

CVE-2020-27834:

1 issue postponed or untriaged:

CVE-2013-7484: (needs triaging) Zabbix before 5.0 represents passwords in the users table with unsalted MD5.

2 ignored issues:

CVE-2017-2826: An information disclosure vulnerability exists in the iConfig proxy request of Zabbix server 2.4.X. A specially crafted iConfig proxy request can cause the Zabbix server to send the configuration information of any Zabbix proxy, resulting in information disclosure. An attacker can make requests from an active Zabbix proxy to trigger this vulnerability.
CVE-2019-17382: An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin.

Created: 2021-02-19 Last update: 2021-04-21 16:04

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2020-27834:

Created: 2021-02-19 Last update: 2021-04-21 16:04

6 security issues in buster high

There are 6 open security issues in buster.

1 important issue:

CVE-2020-27834:

5 issues left for the package maintainer to handle:

CVE-2013-7484: (needs triaging) Zabbix before 5.0 represents passwords in the users table with unsalted MD5.
CVE-2019-15132: (needs triaging) Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php.
CVE-2019-17382: (needs triaging) An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin.
CVE-2020-15803: (needs triaging) Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before 4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL Widget.
CVE-2021-27927: (needs triaging) In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the init() method. An attacker doesn't have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact information of an existing user with sufficient privileges.

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-02-19 Last update: 2021-04-21 16:04

1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:

CVE-2020-27834:

Created: 2021-02-19 Last update: 2021-04-21 16:04

Depends on packages which need a new maintainer normal

The packages that zabbix depends on which need a new maintainer are:

dh-linktree (#980413)
- Build-Depends: dh-linktree
prototypejs (#863697)
- Build-Depends: libjs-prototype

Created: 2019-11-22 Last update: 2021-06-13 13:06

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2018-09-11 Last update: 2021-06-13 12:32

1 new commit since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit e57c2ac5a5b08c55bab8b3e182e8d7d349cd2890
Author: Dmitry Smirnov <onlyjob@member.fsf.org>
Date:   Thu Apr 22 13:18:10 2021 +1000

    agent: +Provides: zabbix-sender (Closes: #987050).
    
     Thanks, Thomas Goirand.

https://salsa.debian.org/api/v4/projects/debian%2Fzabbix/pipelines?scope=finished&per_page=1 API request failed: 403 Forbidden at /srv/qa.debian.org/data/vcswatch/vcswatch line 405.

Created: 2021-04-22 Last update: 2021-06-07 20:05

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2021-02-01 Last update: 2021-02-01 10:32

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.5.1 instead of 4.5.0).

Created: 2020-11-17 Last update: 2021-02-01 08:05

testing migrations

This package will soon be part of the auto-unixodbc transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
This package will soon be part of the auto-openldap transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[rss feed]

[2021-04-21] Accepted zabbix 1:3.0.32+dfsg-0+deb9u1 (source) into oldstable (Sylvain Beucler)
[2021-02-11] Accepted zabbix 1:5.0.8+dfsg-1~bpo10+1 (source) into buster-backports (Dmitry Smirnov)
[2021-02-06] zabbix 1:5.0.8+dfsg-1 MIGRATED to testing (Debian testing watch)
[2021-02-01] Accepted zabbix 1:5.0.8+dfsg-1 (source) into unstable (Dmitry Smirnov)
[2021-01-12] Accepted zabbix 1:5.0.7+dfsg-1~bpo10+1 (source) into buster-backports (Dmitry Smirnov)
[2021-01-12] zabbix 1:5.0.7+dfsg-1 MIGRATED to testing (Debian testing watch)
[2021-01-07] Accepted zabbix 1:5.0.7+dfsg-1 (source) into unstable (Dmitry Smirnov)
[2020-11-23] Accepted zabbix 1:5.0.5+dfsg-1~bpo10+1 (source) into buster-backports (Dmitry Smirnov)
[2020-11-21] Accepted zabbix 1:3.0.31+dfsg-0+deb9u1 (source) into oldstable (Sylvain Beucler)
[2020-11-05] zabbix 1:5.0.5+dfsg-1 MIGRATED to testing (Debian testing watch)
[2020-10-31] Accepted zabbix 1:5.0.5+dfsg-1 (source) into unstable (Dmitry Smirnov)
[2020-10-06] Accepted zabbix 1:5.0.4+dfsg-1~bpo10+1 (source) into buster-backports (Dmitry Smirnov)
[2020-10-06] zabbix 1:5.0.4+dfsg-1 MIGRATED to testing (Debian testing watch)
[2020-10-01] Accepted zabbix 1:5.0.4+dfsg-1 (source) into unstable (Dmitry Smirnov)
[2020-08-07] Accepted zabbix 1:5.0.2+dfsg-1~bpo10+1 (source) into buster-backports (Dmitry Smirnov)
[2020-08-03] Accepted zabbix 1:3.0.7+dfsg-3+deb9u1 (source amd64 all) into oldstable (Chris Lamb)
[2020-07-29] zabbix 1:5.0.2+dfsg-1 MIGRATED to testing (Debian testing watch)
[2020-07-24] Accepted zabbix 1:5.0.2+dfsg-1 (source) into unstable (Dmitry Smirnov)
[2020-06-02] Accepted zabbix 1:5.0.1+dfsg-1~bpo10+1 (source) into buster-backports (Dmitry Smirnov)
[2020-06-01] zabbix 1:5.0.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2020-05-26] Accepted zabbix 1:5.0.1+dfsg-1 (source) into unstable (Dmitry Smirnov)
[2020-05-19] zabbix 1:5.0.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2020-05-19] Accepted zabbix 1:5.0.0+dfsg-1~bpo10+1 (source) into buster-backports (Dmitry Smirnov)
[2020-05-14] Accepted zabbix 1:5.0.0+dfsg-1 (source) into unstable (Dmitry Smirnov)
[2020-04-11] zabbix 1:4.0.19+dfsg-1 MIGRATED to testing (Debian testing watch)
[2020-04-06] Accepted zabbix 1:4.0.19+dfsg-1 (source) into unstable (Dmitry Smirnov)
[2020-03-04] zabbix 1:4.0.18+dfsg-1 MIGRATED to testing (Debian testing watch)
[2020-03-04] Accepted zabbix 1:4.0.18+dfsg-1~bpo10+1 (source) into buster-backports (Dmitry Smirnov)
[2020-02-28] Accepted zabbix 1:4.0.18+dfsg-1 (source) into unstable (Dmitry Smirnov)
[2020-02-09] zabbix 1:4.0.17+dfsg-1 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 12
RC: 0
I&N: 3
M&W: 8
F&P: 1
patch: 0

links

homepage
buildd: logs, checks, clang, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
l10n (-, 60)

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1:5.0.8+dfsg-1
70 bugs (1 patch)