Ubuntu
zabbix package

zabbix frontend still has a debug line enabled

Bug #157128 reported by wizhippo
258
Affects Status Importance Assigned to Milestone
zabbix (Ubuntu)
Fix Released
Undecided
Kees Cook

Bug Description

in file include/db.inc.php line 67

SDI($pg_connection_string);

should be

//SDI($pg_connection_string);

This the shows database login details

Revision history for this message
Kees Cook (kees) wrote :

Thanks for the report and helping to make Ubuntu better. If someone can build a debdiff and test the result, following the SUP[1], I can get it published.

[1] https://wiki.ubuntu.com/SecurityUpdateProcedures

Changed in zabbix:
status: New → Confirmed
Revision history for this message
.:. brainsik (brainsik) wrote :

The debdiff is attached. I tested the package and it works great.

There were no instructions for how to build the debdiff on the page you provided above. I had to assume it should be run against the .dsc files as the other methods didn't provide useful info.

$ debdiff zabbix_1.4.1-2.dsc zabbix_1.4.1-2ubuntu0.1.dsc > zabbix_1.4.1-2ubuntu0.1.debdiff

The fix I made is the same as what the Debian people did.
http://ftp.de.debian.org/debian/pool/main/z/zabbix/zabbix_1.4.1-4.diff.gz

Revision history for this message
Kees Cook (kees) wrote :

Thanks for the debdiff; it looks good. I've uploaded it to the security queue -- it should be published shortly.

Changed in zabbix:
assignee: nobody → keescook
status: Confirmed → Fix Committed
Revision history for this message
.:. brainsik (brainsik) wrote :

zabbix (1:1.4.1-2ubuntu0.1) gutsy-security; urgency=low

  * SECURITY UPDATE: Displays database login details (including password) when
    postgresql is used.
  * Dont print debug information on frontend when postgresql is used.
    debian/patches/db.inc.patch
  * Fixes LP: #157128

 -- Jeremy Avnet <email address hidden> Thu, 08 Nov 2007 15:02:33 -0800

Launchpad Janitor (janitor)
Changed in zabbix:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.