Описание
Security update for zabbix
This update for zabbix fixes the following issues:
- CVE-2021-27927: Fixed an improper CSRF protection mechanism (bsc#1183014).
- CVE-2013-7484: Fixed an issue where passwords in the users table were unsalted (bsc#1158321).
Список пакетов
SUSE Linux Enterprise Server 12 SP5
zabbix-agent-4.0.12-4.12.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5
zabbix-agent-4.0.12-4.12.1
Ссылки
- Link for SUSE-SU-2021:0990-1
- E-Mail link for SUSE-SU-2021:0990-1
- SUSE Security Ratings
- SUSE Bug 1158321
- SUSE Bug 1183014
- SUSE CVE CVE-2013-7484 page
- SUSE CVE CVE-2021-27927 page
Описание
Zabbix before 5.0 represents passwords in the users table with unsalted MD5.
Затронутые продукты
SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.12.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.12.1
Ссылки
- CVE-2013-7484
- SUSE Bug 1158321
Описание
In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the init() method. An attacker doesn't have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact information of an existing user with sufficient privileges.
Затронутые продукты
SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.12.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.12.1
Ссылки
- CVE-2021-27927
- SUSE Bug 1183014