Debian Long Term Support / LTS Security Information / 2019 / Security Information -- DLA-1708-1 zabbix

Debian Security Advisory

DLA-1708-1 zabbix -- LTS security update

Date Reported:

11 Mar 2019

Affected Packages:

zabbix

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2016-10742, CVE-2017-2826.

More information:

Several security vulnerabilities were discovered in Zabbix, a server/client network monitoring solution.

• CVE-2016-10742

  Zabbix allowed remote attackers to redirect to external links by misusing the request parameter.

• CVE-2017-2826

  An information disclosure vulnerability exists in the iConfig proxy request of Zabbix server. A specially crafted iConfig proxy request can cause the Zabbix server to send the configuration information of any Zabbix proxy, resulting in information disclosure. An attacker can make requests from an active Zabbix proxy to trigger this vulnerability.

This update also includes several other bug fixes and improvements. For more information please refer to the upstream changelog file.

For Debian 8 Jessie, these problems have been fixed in version 1:2.2.23+dfsg-0+deb8u1.

We recommend that you upgrade your zabbix packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS