Debian Security Advisory
DLA-1145-1 zoneminder -- LTS security update
- Date Reported:
- 26 Oct 2017
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2017-5595.
- More information:
Multiple vulnerabilities have been found in zoneminder. This update fixes only a serious file disclosure vulnerability (CVE-2017-5595).
The application has been found to suffer from many other problems such as SQL injection vulnerabilities, cross-site scripting issues, cross-site request forgery, session fixation vulnerability. Due to the amount of issues and to the relative invasiveness of the relevant patches, those issues will not be fixed in Wheezy. We thus advise you to restrict access to zoneminder to trusted users only. If you want to review the list of ignored issues, you can check the security tracker: https://security-tracker.debian.org/tracker/source-package/zoneminder
We recommend that you upgrade your zoneminder packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
For Debian 7
Wheezy, these issues have been fixed in zoneminder version 1.25.0-4+deb7u2