CVE-2008-3880 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3880): SQL injection vulnerability in zm_html_view_event.php in ZoneMinder 1.23.3 and earlier allows remote attackers to execute arbitrary SQL commands via the filter array parameter.
mailed upstream
CVE-2008-3881 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3881): Multiple cross-site scripting (XSS) vulnerabilities in ZoneMinder 1.23.3 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified parameters to unspecified "zm_html_view_*.php" files. CVE-2008-3882 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3882): ZoneMinder 1.23.3 and earlier allows remote attackers to execute arbitrary commands (aka "Command Injection") via (1) the executeFilter function in zm_html_view_events.php and (2) the run_state parameter to zm_html_view_state.php.
Should we mask the package?
Still no solution from upstream. The only workaround exist is: Restrict access to ZoneMinder (e.g. with ".htaccess"). Package.masked package. Security team, CVE-2008-3882 is considered as critical. Please, update Severity.
I contacted upstream to determine the status. Upstream said that all of them are fixed in a soon-to-be-released 1.24.0.
(In reply to comment #4) > Security team, CVE-2008-3882 is considered as critical. Please, update > Severity. Update isn't needed since any ~ is trivial.
1.24.0 has been released. http://www.zoneminder.com/wiki/index.php/Change_History#Release_1.24.0 SECURITY : Fixed all known security vulnerabilities from earlier versions.
*** Bug 259372 has been marked as a duplicate of this bug. ***
1.24.1 has been released: http://www.zoneminder.com/index.php?id=20&type=0&backPID=15&tt_news=61
When possible, requesting portage update to 1.24.1 (all previous security issues fixed, and website code re-written) and therefore a removal of the hard mask. Thank you.
Any news about an update to this package?
web-apps, please provide an updated ebuild.
I've been working on an ebuild of this, but it still doesn't work right in some cases, so I'm still tracking down some loose ends.
Hoping for a new ebuild soon. I've been holding off building my security system :) Been playing with it on Ubuntu, seems like a project worthwhile. -Chad
(In reply to comment #14) > Hoping for a new ebuild soon. I've been holding off building my security > system :) Been playing with it on Ubuntu, seems like a project worthwhile. > > -Chad I too am hoping for a new ebuild soon. P.V.Anthony
(In reply to comment #15) > (In reply to comment #14) > > Hoping for a new ebuild soon. I've been holding off building my security > > system :) Been playing with it on Ubuntu, seems like a project worthwhile. > > > > -Chad > > I too am hoping for a new ebuild soon. > > P.V.Anthony > If someone have a draft of ebuild for this, please attach a patch on this bug to evite duplicated work, i'm starting to work on this...
How's this going? The new version's been out for four months but the version in Portage is still and old and has security issues! Any ideas how long before we get an ebuild, or should we just install manually from source?
If you attach a working ebuild to this bug, we can move it faster.
Created attachment 194659 [details] ebuild for 1.24.1 I just copied the old ebuild. Dont know if the dependencies are really necessary.
+*zoneminder-1.24.2 (03 Aug 2009) + + 03 Aug 2009; Thomas Anderson <gentoofan23@gentoo.org> + +files/1.24.2/Makefile.am.patch, +zoneminder-1.24.2.ebuild, + +files/1.24.2/db_upgrade_script_location.patch, + +files/1.24.2/zm_create.sql.in.patch, + +files/1.24.2/zm_remote_camera_http.patch: + Add www-misc/zoneminder-1.24.2; fixes bug #262019 and security bug + #236517. + Zoneminder 1.24.2 fixes all known security flaws.
Thanks, Thomas. Closing as [noglsa] since it's ~.