Debian Security Advisory

DLA-1145-1 zoneminder -- LTS security update

Date Reported:
26 Oct 2017
Affected Packages:
zoneminder
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2017-5595.
More information:

Multiple vulnerabilities have been found in zoneminder. This update fixes only a serious file disclosure vulnerability (CVE-2017-5595).

The application has been found to suffer from many other problems such as SQL injection vulnerabilities, cross-site scripting issues, cross-site request forgery, session fixation vulnerability. Due to the amount of issues and to the relative invasiveness of the relevant patches, those issues will not be fixed in Wheezy. We thus advise you to restrict access to zoneminder to trusted users only. If you want to review the list of ignored issues, you can check the security tracker: https://security-tracker.debian.org/tracker/source-package/zoneminder

We recommend that you upgrade your zoneminder packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS

For Debian 6 Squeeze, these issues have been fixed in zoneminder version 1.25.0-4+deb7u2