Debian Bug report logs - #683273
CVE-2012-3435

version graph

Package: zabbix; Maintainer for zabbix is Christoph Haas <haas@debian.org>;

Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>

Date: Mon, 30 Jul 2012 12:33:02 UTC

Severity: grave

Tags: security

Found in versions 1:1.8.2-1, 1:1.8.2-1squeeze2

Fixed in versions zabbix/1:2.0.2+dfsg-1, zabbix/1:1.8.2-1squeeze4

Done: Raphael Geissert <geissert@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Christoph Haas <haas@debian.org>:
Bug#683273; Package zabbix. (Mon, 30 Jul 2012 12:33:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Christoph Haas <haas@debian.org>. (Mon, 30 Jul 2012 12:33:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <muehlenhoff@univention.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2012-3435
Date: Mon, 30 Jul 2012 14:28:47 +0200
Package: zabbix
Severity: grave
Tags: security

Please see http://www.openwall.com/lists/oss-security/2012/07/28/3
for further references.

Cheers,
        Moritz



Reply sent to Dmitry Smirnov <onlyjob@member.fsf.org>:
You have taken responsibility. (Sun, 05 Aug 2012 10:33:05 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer. (Sun, 05 Aug 2012 10:33:05 GMT) Full text and rfc822 format available.

Message #10 received at 683273-close@bugs.debian.org (full text, mbox):

From: Dmitry Smirnov <onlyjob@member.fsf.org>
To: 683273-close@bugs.debian.org
Subject: Bug#683273: fixed in zabbix 1:2.0.2+dfsg-1
Date: Sun, 05 Aug 2012 10:32:28 +0000
Source: zabbix
Source-Version: 1:2.0.2+dfsg-1

We believe that the bug you reported is fixed in the latest version of
zabbix, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 683273@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dmitry Smirnov <onlyjob@member.fsf.org> (supplier of updated zabbix package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 05 Aug 2012 16:07:05 +1000
Source: zabbix
Binary: zabbix-agent zabbix-frontend-php zabbix-proxy-mysql zabbix-proxy-pgsql zabbix-proxy-sqlite3 zabbix-server-mysql zabbix-server-pgsql
Architecture: source amd64 all
Version: 1:2.0.2+dfsg-1
Distribution: unstable
Urgency: low
Maintainer: Christoph Haas <haas@debian.org>
Changed-By: Dmitry Smirnov <onlyjob@member.fsf.org>
Description: 
 zabbix-agent - network monitoring solution - agent
 zabbix-frontend-php - network monitoring solution - PHP front-end
 zabbix-proxy-mysql - network monitoring solution - proxy (using MySQL)
 zabbix-proxy-pgsql - network monitoring solution - proxy (using PostgreSQL)
 zabbix-proxy-sqlite3 - network monitoring solution - proxy (using SQLite3)
 zabbix-server-mysql - network monitoring solution - server (using MySQL)
 zabbix-server-pgsql - network monitoring solution - server (using PostgreSQL)
Closes: 683273 683651
Changes: 
 zabbix (1:2.0.2+dfsg-1) unstable; urgency=low
 .
   * New upstream release.
     + fixes CVE-2012-3435 (closes: #683273).
   * frontend to create /etc/zabbix (closes: #683651).
   * frontend-php.postinst no longer 'chgrp' as group may not exist.
Checksums-Sha1: 
 101ec20d6857fff9cb9549bd6bdfebb54c9c5881 2611 zabbix_2.0.2+dfsg-1.dsc
 cce2f30079d6993d37f8e66b7cb312ef93d812bc 4943492 zabbix_2.0.2+dfsg.orig.tar.xz
 979ac1cd1d9c7117e0e5c5a29a60e7b24b6ee01f 28532 zabbix_2.0.2+dfsg-1.debian.tar.xz
 0791faf147f7f5209d22b762cd51dd8bc66d4914 384896 zabbix-agent_2.0.2+dfsg-1_amd64.deb
 855c2242113d582627e6935b756d142fce404fe0 3773780 zabbix-frontend-php_2.0.2+dfsg-1_all.deb
 d2c1674bb621d1a8036ca7a09ae6f6a01e8e4fb0 507636 zabbix-proxy-mysql_2.0.2+dfsg-1_amd64.deb
 5de81cf3299887bf808d43f09c6c5912bfc033c9 508436 zabbix-proxy-pgsql_2.0.2+dfsg-1_amd64.deb
 acd2f235978d9f68c40abfb5791020af074eca08 484004 zabbix-proxy-sqlite3_2.0.2+dfsg-1_amd64.deb
 7473f23d5afbe1471bd69a907c3aebfdc964c10b 1682342 zabbix-server-mysql_2.0.2+dfsg-1_amd64.deb
 832861d72cfe17d1fc7e308b32592cf846407a37 1682166 zabbix-server-pgsql_2.0.2+dfsg-1_amd64.deb
Checksums-Sha256: 
 fc466ff1c0d1bf2a1d6ef2f2c1572ed31efe0c0c025692878556f7d23ea2bca2 2611 zabbix_2.0.2+dfsg-1.dsc
 9d9a119bfb50c29c93bc8d717c8cfa368581c227874068fd8ce7dca9f70fca68 4943492 zabbix_2.0.2+dfsg.orig.tar.xz
 3154e8e5ee398ad4fefec3e7bc54cbc21cdb80221ff1da4a395ed80a8f1835a9 28532 zabbix_2.0.2+dfsg-1.debian.tar.xz
 6406231156da9158b8f73e39589bbbc135d0638e4106edda00f0a2f3fc848bf4 384896 zabbix-agent_2.0.2+dfsg-1_amd64.deb
 8f827f4ea5b002a4e89efeb226944a4463e821e69dd1811fd8f6ce67cc121b83 3773780 zabbix-frontend-php_2.0.2+dfsg-1_all.deb
 f94b9dd06886d3d36e1df1847cd299c49f0043f41e47a582104240f40be498e8 507636 zabbix-proxy-mysql_2.0.2+dfsg-1_amd64.deb
 4bc0fbee46f532b8dc680cda119c19874631ee8b3cb19cfc5c11f99f9a402807 508436 zabbix-proxy-pgsql_2.0.2+dfsg-1_amd64.deb
 df0d797bb563a855d5e8a8260557b3e807f9ad4c56938a5f8add7f37dfc70c33 484004 zabbix-proxy-sqlite3_2.0.2+dfsg-1_amd64.deb
 25790aa48fee56165e8032cc76f5c8935d682387fe99566cadb13ad76f8e2e5e 1682342 zabbix-server-mysql_2.0.2+dfsg-1_amd64.deb
 33ad8e12221daee5b4a045e06a1beea6aa5e65800d60dd6adc2a9c6f7bb0f094 1682166 zabbix-server-pgsql_2.0.2+dfsg-1_amd64.deb
Files: 
 adf9e22c285422d4ba4469aa5a13b6ff 2611 net optional zabbix_2.0.2+dfsg-1.dsc
 aa11e874ee4292ea410e2eeabca68554 4943492 net optional zabbix_2.0.2+dfsg.orig.tar.xz
 8ddd28aabd5234084e366f86f6172f0a 28532 net optional zabbix_2.0.2+dfsg-1.debian.tar.xz
 428493a6f5a4fa66ef9ec0dfc01bfde1 384896 net optional zabbix-agent_2.0.2+dfsg-1_amd64.deb
 baeadf19aa9535e2e665f2db2b9f64dc 3773780 net optional zabbix-frontend-php_2.0.2+dfsg-1_all.deb
 37e8ed878be32a7f09215d8f4aaee819 507636 net optional zabbix-proxy-mysql_2.0.2+dfsg-1_amd64.deb
 18d12015a4d7b8e1c770497348a5b786 508436 net optional zabbix-proxy-pgsql_2.0.2+dfsg-1_amd64.deb
 68bc3a3d36f98d7d480218c4d9929811 484004 net optional zabbix-proxy-sqlite3_2.0.2+dfsg-1_amd64.deb
 43455bcd862637912fd11896e2eae49b 1682342 net optional zabbix-server-mysql_2.0.2+dfsg-1_amd64.deb
 9e62953257e9946e51e34cf808448143 1682166 net optional zabbix-server-pgsql_2.0.2+dfsg-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQHkNuAAoJEFK2u9lTlo0bsvoP/2vIaUP9GkThy6j9VzBgFj3Q
lUjozrmUnxXX7dqS2gB1K9gN0uCCFRJ69yyON8Yrjma2kAArJmA2f15PXSElqXTD
CY9KllG2AtuZR+QSNkOPP6MTevNMpiTrFIr3SVF5avdRETiSug43hUf7gOmVDNRq
ELxl4f4Fzr/6AwFkEmCBhOd/ZbgZl7xUISybSKCjsJAnGQB+xVzTx4O2qNUciDaZ
bDkNxlmNpyyQQMY9/rKaPQBeauhnjvy/ql+GtVHMH444LBgkxZymmBIupe8HyYRP
Pvib5SaoNwIPctcq8JkrqpdtkyS3R3JiFgOUcz1T2QFMlOdw5p/AvOYOW2b727VH
RCbrMsgnUzHpR+fpkNC+Ggs9ItrYjyLRE1xryobscary7g7N39lJ80ejeV9z3HU6
tJmPZxkl+y87gCgDUhzt3yVSzgwXO2jorO5TfzuL7n/tDYkqVmYdPJXsToY8zcr4
O0W8ic2wGPDJvD2wf/vZdUw3r8zl2LKkPvr77OkNyZjqYmU4CFpMIqW9BPIg2x85
Tp9ju/0/tYlJdvVzS4EYqXCB1TTxx/czF1HIAZztSIBnnoAnNH3ZxMFT9id/BJHR
xhiPWGmXLBS6HHYn/KjMjGEdXMRLURdI2ucHGovIQ/sEs3QILRkuoWUpbxlYhiKc
AeSPEcvCPqfpOPotSylx
=awXD
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Christoph Haas <haas@debian.org>:
Bug#683273; Package zabbix. (Wed, 05 Sep 2012 09:51:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Arnaud Le Blanc <arnaud.lb@gmail.com>:
Extra info received and forwarded to list. Copy sent to Christoph Haas <haas@debian.org>. (Wed, 05 Sep 2012 09:51:09 GMT) Full text and rfc822 format available.

Message #15 received at 683273@bugs.debian.org (full text, mbox):

From: Arnaud Le Blanc <arnaud.lb@gmail.com>
To: 683273@bugs.debian.org
Subject: Stable still vulnerable
Date: Wed, 5 Sep 2012 11:48:20 +0200
The package is still vulnerable in stable and testing. Is this expected ?



Marked as found in versions 1:1.8.2-1squeeze2. Request was from Raphael Geissert <geissert@debian.org> to control@bugs.debian.org. (Wed, 05 Sep 2012 20:39:09 GMT) Full text and rfc822 format available.

Marked as found in versions 1:1.8.2-1. Request was from Ansgar Burchardt <ansgar@debian.org> to control@bugs.debian.org. (Thu, 06 Sep 2012 07:09:03 GMT) Full text and rfc822 format available.

Reply sent to Raphael Geissert <geissert@debian.org>:
You have taken responsibility. (Fri, 07 Sep 2012 09:03:06 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer. (Fri, 07 Sep 2012 09:03:06 GMT) Full text and rfc822 format available.

Message #24 received at 683273-close@bugs.debian.org (full text, mbox):

From: Raphael Geissert <geissert@debian.org>
To: 683273-close@bugs.debian.org
Subject: Bug#683273: fixed in zabbix 1:1.8.2-1squeeze4
Date: Fri, 07 Sep 2012 09:02:04 +0000
Source: zabbix
Source-Version: 1:1.8.2-1squeeze4

We believe that the bug you reported is fixed in the latest version of
zabbix, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 683273@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Raphael Geissert <geissert@debian.org> (supplier of updated zabbix package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 06 Sep 2012 02:18:15 -0500
Source: zabbix
Binary: zabbix-agent zabbix-server-mysql zabbix-server-pgsql zabbix-frontend-php zabbix-proxy-pgsql zabbix-proxy-mysql
Architecture: source i386 all
Version: 1:1.8.2-1squeeze4
Distribution: squeeze-security
Urgency: high
Maintainer: Christoph Haas <haas@debian.org>
Changed-By: Raphael Geissert <geissert@debian.org>
Description: 
 zabbix-agent - network monitoring solution - agent
 zabbix-frontend-php - network monitoring solution - PHP front-end
 zabbix-proxy-mysql - network monitoring solution - proxy (using MySQL)
 zabbix-proxy-pgsql - network monitoring solution - proxy (using PostgreSQL)
 zabbix-server-mysql - network monitoring solution - server (using MySQL)
 zabbix-server-pgsql - network monitoring solution - server (using PostgreSQL)
Closes: 683273
Changes: 
 zabbix (1:1.8.2-1squeeze4) squeeze-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2012-3435: SQL injection in popup_bitem.php (Closes: #683273)
Checksums-Sha1: 
 c71c871ba91d3ffba5e04f6e843ae9738aaf2fad 1533 zabbix_1.8.2-1squeeze4.dsc
 59573efdffe481f1e0d020f4e75b670daa837ded 3706540 zabbix_1.8.2.orig.tar.gz
 28a14b394299d7509f8bf0e2d05669014f3472f9 200390 zabbix_1.8.2-1squeeze4.debian.tar.gz
 40cfc84174490cdfd754445a22fdcff59a1b9b3e 236100 zabbix-agent_1.8.2-1squeeze4_i386.deb
 a2d43be5c7ffdfe6d4f6d3ca22c72e5b0c9df9a8 609310 zabbix-server-mysql_1.8.2-1squeeze4_i386.deb
 ce15b8f00c11ea44515119e54dc9f4bb5e9be950 623890 zabbix-server-pgsql_1.8.2-1squeeze4_i386.deb
 96ee89da26f72874a84ed9f575e76f8b10bcf3f2 543654 zabbix-proxy-pgsql_1.8.2-1squeeze4_i386.deb
 e0fedf8bc6227828e8686f3e4ea241ed22814547 534254 zabbix-proxy-mysql_1.8.2-1squeeze4_i386.deb
 a3ad057d82f1a6ff56681fcdb4a6fd9e5ca383ee 1518184 zabbix-frontend-php_1.8.2-1squeeze4_all.deb
Checksums-Sha256: 
 86a2a999be06d6e0871e6b5dfd117db06be4f3a5e67bdc77eddea7fcd923936f 1533 zabbix_1.8.2-1squeeze4.dsc
 ba1d00454551c1c6f0d270f76718b69ce9f54c427e22acb5a13ccbc9e621fd81 3706540 zabbix_1.8.2.orig.tar.gz
 2ae0fd17b05934332908d8a13808b39050f6f311ed128d2dc5cb62593f0a21af 200390 zabbix_1.8.2-1squeeze4.debian.tar.gz
 4999b30e1cc127113bf7ef82aada1579c288022608577a338978a7d7d341cb24 236100 zabbix-agent_1.8.2-1squeeze4_i386.deb
 5252f24e43e2024498e2853d5cb8d2e9cba8fcb39a30040ef530b141ecb678ed 609310 zabbix-server-mysql_1.8.2-1squeeze4_i386.deb
 e6bf572b24d0bd721fdbb921952a8548f3370a8a9d5e18430c9e575104fd7396 623890 zabbix-server-pgsql_1.8.2-1squeeze4_i386.deb
 e83e9891ced070b62c1e2188db3788b41f891956d0cd3aacaf483d0d73622604 543654 zabbix-proxy-pgsql_1.8.2-1squeeze4_i386.deb
 c220ee47b0f4a8cf4b6af6ef6fe9ce78bd3dfd3adbcb1a1c30b9039e7e3b6dcb 534254 zabbix-proxy-mysql_1.8.2-1squeeze4_i386.deb
 bfb4d6491b332d5c40d205d6963cec673029f87a7c17a57e9244fcf81d49c90c 1518184 zabbix-frontend-php_1.8.2-1squeeze4_all.deb
Files: 
 220ad963ea5a37d13ce460b25d43a486 1533 net optional zabbix_1.8.2-1squeeze4.dsc
 fa4be4fa7ac20a33cc0aa5c27b827746 3706540 net optional zabbix_1.8.2.orig.tar.gz
 2971c04ae917c65fbee3882e59c6f877 200390 net optional zabbix_1.8.2-1squeeze4.debian.tar.gz
 d94bd98d1f3491a95f1096a2b886fea4 236100 net optional zabbix-agent_1.8.2-1squeeze4_i386.deb
 ded93eb9d9508ef670c9dee2f0e92d03 609310 net optional zabbix-server-mysql_1.8.2-1squeeze4_i386.deb
 d238738b8db8b5063f039ff4fe61bb01 623890 net optional zabbix-server-pgsql_1.8.2-1squeeze4_i386.deb
 dc93c7f1fb722baf6d11aea394eb5edf 543654 net optional zabbix-proxy-pgsql_1.8.2-1squeeze4_i386.deb
 69c711e22b7699dcc92db53fba13db4d 534254 net optional zabbix-proxy-mysql_1.8.2-1squeeze4_i386.deb
 a58bbcb11412e5b0d98d07e90cbdac28 1518184 net optional zabbix-frontend-php_1.8.2-1squeeze4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlBIV2AACgkQYy49rUbZzlo6vACgjVt7MFFpdKUYg1SfCAxBW/Vk
6MwAn2TJ3fh3P5BWahrmj+g80gn0+XP0
=RnW9
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Christoph Haas <haas@debian.org>:
Bug#683273; Package zabbix. (Mon, 01 Oct 2012 13:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dmitry Smirnov <onlyjob@member.fsf.org>:
Extra info received and forwarded to list. Copy sent to Christoph Haas <haas@debian.org>. (Mon, 01 Oct 2012 13:03:03 GMT) Full text and rfc822 format available.

Message #29 received at 683273@bugs.debian.org (full text, mbox):

From: Dmitry Smirnov <onlyjob@member.fsf.org>
To: debian-security@lists.debian.org
Cc: Raphael Geissert <geissert@debian.org>, 683273@bugs.debian.org
Subject: CVE-2012-3435: zabbix/testing
Date: Mon, 1 Oct 2012 22:59:53 +1000
[Message part 1 (text/plain, inline)]
Hi Raphael,

Thank you for fixing CVE-2012-3435 in Squeeze.

I've made a fix for Wheezy:

	http://anonscm.debian.org/gitweb/?p=collab-maint/zabbix.git;a=commitdiff;h=480ef5baede0f478a4a90a16b9453bc32b9f756d

and uploaded source package to 

	http://mentors.debian.net/debian/pool/main/z/zabbix/zabbix_1.8.11-1.1.dsc

This is my very first security-related upload so please review
and advise if I shall upload or if you'll take care of the rest.

Cheers,
Dmitry.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Christoph Haas <haas@debian.org>:
Bug#683273; Package zabbix. (Fri, 07 Dec 2012 13:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to Christoph Haas <haas@debian.org>. (Fri, 07 Dec 2012 13:39:03 GMT) Full text and rfc822 format available.

Message #34 received at 683273@bugs.debian.org (full text, mbox):

From: Yves-Alexis Perez <corsac@debian.org>
To: Dmitry Smirnov <onlyjob@member.fsf.org>
Cc: debian-security@lists.debian.org, Raphael Geissert <geissert@debian.org>, 683273@bugs.debian.org
Subject: Re: CVE-2012-3435: zabbix/testing
Date: Fri, 07 Dec 2012 14:37:44 +0100
[Message part 1 (text/plain, inline)]
On lun., 2012-10-01 at 22:59 +1000, Dmitry Smirnov wrote:
> Hi Raphael,
> 
> Thank you for fixing CVE-2012-3435 in Squeeze.
> 
> I've made a fix for Wheezy:
> 
> 	http://anonscm.debian.org/gitweb/?p=collab-maint/zabbix.git;a=commitdiff;h=480ef5baede0f478a4a90a16b9453bc32b9f756d
> 
> and uploaded source package to 
> 
> 	http://mentors.debian.net/debian/pool/main/z/zabbix/zabbix_1.8.11-1.1.dsc
> 
> This is my very first security-related upload so please review
> and advise if I shall upload or if you'll take care of the rest.

There's no security archive for Wheezy right now, so this need to go
through testing-proposed-updates. Please get contact with the release
team to get approval request.

Regards,
-- 
Yves-Alexis Perez
 Debian Security
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Christoph Haas <haas@debian.org>:
Bug#683273; Package zabbix. (Sat, 08 Dec 2012 00:12:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dmitry Smirnov <onlyjob@member.fsf.org>:
Extra info received and forwarded to list. Copy sent to Christoph Haas <haas@debian.org>. (Sat, 08 Dec 2012 00:12:03 GMT) Full text and rfc822 format available.

Message #39 received at 683273@bugs.debian.org (full text, mbox):

From: Dmitry Smirnov <onlyjob@member.fsf.org>
To: "Yves-Alexis Perez" <corsac@debian.org>
Cc: debian-security@lists.debian.org, Raphael Geissert <geissert@debian.org>, 683273@bugs.debian.org
Subject: Re: CVE-2012-3435: zabbix/testing
Date: Sat, 8 Dec 2012 11:10:29 +1100
[Message part 1 (text/plain, inline)]
On Sat, 8 Dec 2012 00:37:44 Yves-Alexis Perez wrote:
> There's no security archive for Wheezy right now, so this need to go
> through testing-proposed-updates. Please get contact with the release
> team to get approval request.
> 

After discussing this issue we're all agreed that 1.8.11 shall be removed from 
testing or replaced with 1:2.0.2+dfsg-4 (for which we have an unblock request 
#687916).

The problem will be gone if 2.0.2 will be allowed to migrate -- otherwise we 
will request removal of 1.8.11 from testing and upload to wheezy-backports.

So at the moment we're waiting for release team decision.

There is a fading hope for unblock of version 2.0.2 -- although it was staged 
in unstable too late to comply with freeze policy, there were not a single bug 
reported since upload of 1:2.0.2+dfsg-4 ~114 days ago.

Regards,
Dmitry.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Christoph Haas <haas@debian.org>:
Bug#683273; Package zabbix. (Sat, 08 Dec 2012 08:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to Christoph Haas <haas@debian.org>. (Sat, 08 Dec 2012 08:18:03 GMT) Full text and rfc822 format available.

Message #44 received at 683273@bugs.debian.org (full text, mbox):

From: Yves-Alexis Perez <corsac@debian.org>
To: Dmitry Smirnov <onlyjob@member.fsf.org>
Cc: debian-security@lists.debian.org, Raphael Geissert <geissert@debian.org>, 683273@bugs.debian.org
Subject: Re: CVE-2012-3435: zabbix/testing
Date: Sat, 08 Dec 2012 09:15:36 +0100
On sam., 2012-12-08 at 11:10 +1100, Dmitry Smirnov wrote:
> On Sat, 8 Dec 2012 00:37:44 Yves-Alexis Perez wrote:
> > There's no security archive for Wheezy right now, so this need to go
> > through testing-proposed-updates. Please get contact with the release
> > team to get approval request.
> > 
> 
> After discussing this issue we're all agreed that 1.8.11 shall be removed from 
> testing or replaced with 1:2.0.2+dfsg-4 (for which we have an unblock request 
> #687916).

Note that a bunch of issues affect stable too. What is the plan for
them?
> 
> The problem will be gone if 2.0.2 will be allowed to migrate -- otherwise we 
> will request removal of 1.8.11 from testing and upload to wheezy-backports.
> 
> So at the moment we're waiting for release team decision.

I didnd't see the debdiff, but I'm not sure that's something they'll
really want to migrate at that time of the freeze.

Regards,
-- 
Yves-Alexis



Information forwarded to debian-bugs-dist@lists.debian.org, Christoph Haas <haas@debian.org>:
Bug#683273; Package zabbix. (Sat, 08 Dec 2012 10:48:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dmitry Smirnov <onlyjob@member.fsf.org>:
Extra info received and forwarded to list. Copy sent to Christoph Haas <haas@debian.org>. (Sat, 08 Dec 2012 10:48:03 GMT) Full text and rfc822 format available.

Message #49 received at 683273@bugs.debian.org (full text, mbox):

From: Dmitry Smirnov <onlyjob@member.fsf.org>
To: "Yves-Alexis Perez" <corsac@debian.org>
Cc: debian-security@lists.debian.org, Raphael Geissert <geissert@debian.org>, 683273@bugs.debian.org, Christoph Haas <haas@debian.org>
Subject: Re: CVE-2012-3435: zabbix/testing
Date: Sat, 8 Dec 2012 21:45:21 +1100
On Sat, 8 Dec 2012 19:15:36 Yves-Alexis Perez wrote:
> On sam., 2012-12-08 at 11:10 +1100, Dmitry Smirnov wrote:
> > After discussing this issue we're all agreed that 1.8.11 shall be removed
> > from testing or replaced with 1:2.0.2+dfsg-4 (for which we have an
> > unblock request #687916).
> 
> Note that a bunch of issues affect stable too. What is the plan for
> them?

As far as I'm aware there is no security issues left.
As for policy issues I hope we can let it retire as long as package  
functionality is not affected.

Please advise if you think there are issues that must be addressed in stable 
and I'll see what I can do.
Frankly I'm not too confident with packaging prior to version 2 due to lack of 
experience.

> > The problem will be gone if 2.0.2 will be allowed to migrate -- otherwise
> > we will request removal of 1.8.11 from testing and upload to
> > wheezy-backports.
> > 
> > So at the moment we're waiting for release team decision.
> 
> I didnd't see the debdiff,

I updated #687916 with debdiff and replied in another email.


> but I'm not sure that's something they'll
> really want to migrate at that time of the freeze.

Most certainly you're right -- there is little hope left for unblock.
Still to avoid unnecessary work I think it make sense to wait for decision on 
this matter before filing removal request.

Regards,
Dmitry.



Information forwarded to debian-bugs-dist@lists.debian.org, Christoph Haas <haas@debian.org>:
Bug#683273; Package zabbix. (Sat, 08 Dec 2012 11:24:13 GMT) Full text and rfc822 format available.

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to Christoph Haas <haas@debian.org>. (Sat, 08 Dec 2012 11:24:13 GMT) Full text and rfc822 format available.

Message #54 received at 683273@bugs.debian.org (full text, mbox):

From: Yves-Alexis Perez <corsac@debian.org>
To: Dmitry Smirnov <onlyjob@member.fsf.org>
Cc: debian-security@lists.debian.org, Raphael Geissert <geissert@debian.org>, 683273@bugs.debian.org, Christoph Haas <haas@debian.org>
Subject: Re: CVE-2012-3435: zabbix/testing
Date: Sat, 08 Dec 2012 12:23:27 +0100
On sam., 2012-12-08 at 21:45 +1100, Dmitry Smirnov wrote:
> As far as I'm aware there is no security issues left.
> As for policy issues I hope we can let it retire as long as package  
> functionality is not affected.
> 
> Please advise if you think there are issues that must be addressed in stable 
> and I'll see what I can do.
> Frankly I'm not too confident with packaging prior to version 2 due to lack of 
> experience.

Actually there are few CVEs still open (see
https://security-tracker.debian.org/tracker/source-package/zabbix) but
they are marked as unimportant / no-dsa so they should be fixed through
stable-proposed-updates.

Regards,
-- 
Yves-Alexis Perez
 Debian Security




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 17 Jan 2013 07:27:40 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 12:31:27 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.