Alerts This Week
Warning Icon 1 692
Alerts This Week
Warning Icon 1 692

openSUSE 15.3: 2022:0036-1 Moderate: Zabbix XSS and CSRF Fixes

opensuse
Calendar Grey February 16, 2022
Dist Opensuse Esm H88
openSUSE announces a patch for Zabbix tackling moderate vulnerabilities related to CSRF and XSS. Critical for safeguarding user data.
An update that solves three vulnerabilities and has two fixes is now available

Description

This update for zabbix fixes the following issues:

- Updated to latest realease 4.0.37.

Security issues fixed:

- CVE-2022-23134: Fixed possible view of the setup pages by

unauthenticated users if config file already exists (boo#1194681).

- CVE-2021-27927: Fixed CSRF protection mechanism inside

CControllerAuthenticationUpdate controller (boo#1183014).

- CVE-2020-15803: Fixed stored XSS in the URL Widget (boo#1174253).

Bugfixes:

- boo#1181400: Added hardening to systemd service(s)

- boo#1144018: Restructured for easier maintenance because FATE#324346

Topics%20covered

Topics Covered

security advisory moderate XSS service hardening CSRF zabbix openSUSE

Patch

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods

like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.3:

zypper in -t patch openSUSE-2022-36=1

Package List

- openSUSE Leap 15.3 (aarch64 i586 ppc64le s390x x86_64):

zabbix-agent-4.0.37-lp153.2.3.1

zabbix-agent-debuginfo-4.0.37-lp153.2.3.1

zabbix-debuginfo-4.0.37-lp153.2.3.1

zabbix-debugsource-4.0.37-lp153.2.3.1

zabbix-java-gateway-4.0.37-lp153.2.3.1

zabbix-phpfrontend-4.0.37-lp153.2.3.1

zabbix-proxy-4.0.37-lp153.2.3.1

zabbix-proxy-mysql-4.0.37-lp153.2.3.1

zabbix-proxy-mysql-debuginfo-4.0.37-lp153.2.3.1

zabbix-proxy-postgresql-4.0.37-lp153.2.3.1

zabbix-proxy-postgresql-debuginfo-4.0.37-lp153.2.3.1

zabbix-proxy-sqlite-4.0.37-lp153.2.3.1

zabbix-proxy-sqlite-debuginfo-4.0.37-lp153.2.3.1

zabbix-server-4.0.37-lp153.2.3.1

zabbix-server-debuginfo-4.0.37-lp153.2.3.1

zabbix-server-mysql-4.0.37-lp153.2.3.1

zabbix-server-mysql-debuginfo-4.0.37-lp153.2.3.1

zabbix-server-postgresql-4.0.37-lp153.2.3.1

zabbix-server-postgresql-debuginfo-4.0.37-lp153.2.3.1

References

https://www.suse.com/security/cve/CVE-2020-15803.html

https://www.suse.com/security/cve/CVE-2021-27927.html

https://www.suse.com/security/cve/CVE-2022-23134.html

https://bugzilla.suse.com/1144018

https://bugzilla.suse.com/1174253

https://bugzilla.suse.com/1181400

https://bugzilla.suse.com/1183014

https://bugzilla.suse.com/1194681

Announcement ID: openSUSE-SU-2022:0036-1
Rating: moderate
Affected Products: openSUSE Leap 15.3 ble.

Topics%20covered

Topics Covered

security advisory moderate XSS service hardening CSRF zabbix openSUSE

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here