Описание
Security update for zabbix
This update for zabbix fixes the following issues:
- CVE-2024-36469: Introduced clamping for mitigation of timing attacks. (bsc#1240676)
- CVE-2024-42325: Restricted access to user fields using user.get API method for users of User and Admin type, and restricted access to alert entities using alert.get API method for users of User and Admin types. (bsc#1240678)
Список пакетов
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5
zabbix-agent-4.0.12-4.45.1
Ссылки
- Link for SUSE-SU-2026:0483-1
- E-Mail link for SUSE-SU-2026:0483-1
- SUSE Security Ratings
- SUSE Bug 1240676
- SUSE Bug 1240678
- SUSE CVE CVE-2024-36469 page
- SUSE CVE CVE-2024-42325 page
Описание
Execution time for an unsuccessful login differs when using a non-existing username compared to using an existing one.
Затронутые продукты
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:zabbix-agent-4.0.12-4.45.1
Ссылки
- CVE-2024-36469
- SUSE Bug 1240676
Описание
Zabbix API user.get returns all users that share common group with the calling user. This includes media and other information, such as login attempts, etc.
Затронутые продукты
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:zabbix-agent-4.0.12-4.45.1
Ссылки
- CVE-2024-42325
- SUSE Bug 1240678