Debian Security Advisory

DLA-1708-1 zabbix -- LTS security update

Date Reported:
11 Mar 2019
Affected Packages:
zabbix
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2016-10742, CVE-2017-2826.
More information:

Several security vulnerabilities were discovered in Zabbix, a server/client network monitoring solution.

  • CVE-2016-10742

    Zabbix allowed remote attackers to redirect to external links by misusing the request parameter.

  • CVE-2017-2826

    An information disclosure vulnerability exists in the iConfig proxy request of Zabbix server. A specially crafted iConfig proxy request can cause the Zabbix server to send the configuration information of any Zabbix proxy, resulting in information disclosure. An attacker can make requests from an active Zabbix proxy to trigger this vulnerability.

This update also includes several other bug fixes and improvements. For more information please refer to the upstream changelog file.

For Debian 8 Jessie, these problems have been fixed in version 1:2.2.23+dfsg-0+deb8u1.

We recommend that you upgrade your zabbix packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS