diff options
author | Changqing Li <changqing.li@windriver.com> | 2022-04-13 10:35:16 +0800 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2022-04-16 09:48:15 -0700 |
commit | 9a0caf5b09e14a28a54c3f8524d97530aeb8152c (patch) | |
tree | c59ca9ce85f4e0d3b00e4836e2e858ef0646ad59 | |
parent | c3d85c309be7b8105887ccbb4f30a148dd114756 (diff) | |
download | meta-openembedded-9a0caf5b09e14a28a54c3f8524d97530aeb8152c.tar.gz |
zabbix: Fix sereval CVEs
fix CVE-2022-24349,CVE-2022-24917,CVE-2022-24918,CVE-2022-24919
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r-- | meta-oe/recipes-connectivity/zabbix/zabbix/0001-.F.-DEV-2077-fixed-reflected-XSS-issues.patch | 93 | ||||
-rw-r--r-- | meta-oe/recipes-connectivity/zabbix/zabbix_5.2.6.bb | 1 |
2 files changed, 94 insertions, 0 deletions
diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix/0001-.F.-DEV-2077-fixed-reflected-XSS-issues.patch b/meta-oe/recipes-connectivity/zabbix/zabbix/0001-.F.-DEV-2077-fixed-reflected-XSS-issues.patch new file mode 100644 index 000000000..1d32a9cfd --- /dev/null +++ b/meta-oe/recipes-connectivity/zabbix/zabbix/0001-.F.-DEV-2077-fixed-reflected-XSS-issues.patch | |||
@@ -0,0 +1,93 @@ | |||
1 | From fe3e2c2deeef568ec7e961340487497e31eb1a81 Mon Sep 17 00:00:00 2001 | ||
2 | From: Changqing Li <changqing.li@windriver.com> | ||
3 | Date: Wed, 13 Apr 2022 10:19:39 +0800 | ||
4 | Subject: [PATCH] ..F....... [DEV-2077] fixed reflected XSS issues | ||
5 | |||
6 | Merge in ZBX/zabbix from feature/DEV-2077-5.4 to release/5.4 | ||
7 | |||
8 | * commit '5986cdf2572acaaaac1fc113d6407d5f0cd00c35': | ||
9 | ..F....... [DEV-2077] fixed service actions #3 | ||
10 | ..F....... [DEV-2077] fixed service actions #2 | ||
11 | ..F....... [DEV-2077] reverted unnecessary changes | ||
12 | ..F....... [DEV-2077] reverted tests | ||
13 | ..F....... [DEV-2077] fixed service actions | ||
14 | ..F....... [DEV-2077] fixed reflected XSS issue in service configuration form | ||
15 | ..F....... [DEV-2077] fixed reflected XSS issues in uncheckTableRows function | ||
16 | ..F....... [DEV-2077] fixed reflected XSS issues in graph configuration | ||
17 | ..F....... [DEV-2077] fixed reflected XSS issues in action configuration | ||
18 | |||
19 | Upstream_Status: Backport [https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/05976188fcca518c029e1af9ed03fd331786d77d] | ||
20 | CVE: CVE-2022-24349,CVE-2022-24917,CVE-2022-24918,CVE-2022-24919 | ||
21 | |||
22 | Signed-off-by: Changqing Li <changqing.li@windriver.com> | ||
23 | --- | ||
24 | ui/actionconf.php | 2 +- | ||
25 | ui/graphs.php | 2 +- | ||
26 | ui/include/func.inc.php | 5 ++--- | ||
27 | ui/include/views/configuration.services.edit.php | 5 +++-- | ||
28 | 4 files changed, 7 insertions(+), 7 deletions(-) | ||
29 | |||
30 | diff --git a/ui/actionconf.php b/ui/actionconf.php | ||
31 | index 5b67f72..8cda3fc 100644 | ||
32 | --- a/ui/actionconf.php | ||
33 | +++ b/ui/actionconf.php | ||
34 | @@ -37,7 +37,7 @@ $fields = [ | ||
35 | 'name' => [T_ZBX_STR, O_OPT, null, NOT_EMPTY, 'isset({add}) || isset({update})', | ||
36 | _('Name') | ||
37 | ], | ||
38 | - 'eventsource' => [T_ZBX_INT, O_OPT, null, | ||
39 | + 'eventsource' => [T_ZBX_INT, O_OPT, P_SYS, | ||
40 | IN([EVENT_SOURCE_TRIGGERS, EVENT_SOURCE_DISCOVERY, | ||
41 | EVENT_SOURCE_AUTOREGISTRATION, EVENT_SOURCE_INTERNAL | ||
42 | ]), | ||
43 | diff --git a/ui/graphs.php b/ui/graphs.php | ||
44 | index 79bb195..1d10803 100644 | ||
45 | --- a/ui/graphs.php | ||
46 | +++ b/ui/graphs.php | ||
47 | @@ -43,7 +43,7 @@ $fields = [ | ||
48 | 'name' => [T_ZBX_STR, O_OPT, null, NOT_EMPTY, 'isset({add}) || isset({update})', _('Name')], | ||
49 | 'width' => [T_ZBX_INT, O_OPT, null, BETWEEN(20, 65535), 'isset({add}) || isset({update})', _('Width')], | ||
50 | 'height' => [T_ZBX_INT, O_OPT, null, BETWEEN(20, 65535), 'isset({add}) || isset({update})', _('Height')], | ||
51 | - 'graphtype' => [T_ZBX_INT, O_OPT, null, IN('0,1,2,3'), 'isset({add}) || isset({update})'], | ||
52 | + 'graphtype' => [T_ZBX_INT, O_OPT, P_SYS, IN('0,1,2,3'), 'isset({add}) || isset({update})'], | ||
53 | 'show_3d' => [T_ZBX_INT, O_OPT, P_NZERO, IN('0,1'), null], | ||
54 | 'show_legend' => [T_ZBX_INT, O_OPT, P_NZERO, IN('0,1'), null], | ||
55 | 'ymin_type' => [T_ZBX_INT, O_OPT, null, IN('0,1,2'), null], | ||
56 | diff --git a/ui/include/func.inc.php b/ui/include/func.inc.php | ||
57 | index 359fdfb..43c1a41 100644 | ||
58 | --- a/ui/include/func.inc.php | ||
59 | +++ b/ui/include/func.inc.php | ||
60 | @@ -2175,11 +2175,10 @@ function uncheckTableRows($parentid = null, $keepids = []) { | ||
61 | if ($keepids) { | ||
62 | // If $keepids will not have same key as value, it will create mess, when new checkbox will be checked. | ||
63 | $keepids = array_combine($keepids, $keepids); | ||
64 | - | ||
65 | - insert_js('sessionStorage.setItem("'.$key.'", JSON.stringify('.json_encode($keepids).'))'); | ||
66 | + insert_js('sessionStorage.setItem('.json_encode($key).', JSON.stringify('.json_encode($keepids).'));'); | ||
67 | } | ||
68 | else { | ||
69 | - insert_js('sessionStorage.removeItem("'.$key.'")'); | ||
70 | + insert_js('sessionStorage.removeItem('.json_encode($key).');'); | ||
71 | } | ||
72 | } | ||
73 | |||
74 | diff --git a/ui/include/views/configuration.services.edit.php b/ui/include/views/configuration.services.edit.php | ||
75 | index a12385b..625fba9 100644 | ||
76 | --- a/ui/include/views/configuration.services.edit.php | ||
77 | +++ b/ui/include/views/configuration.services.edit.php | ||
78 | @@ -141,9 +141,10 @@ foreach ($this->data['children'] as $child) { | ||
79 | !empty($child['trigger']) ? $child['trigger'] : '', | ||
80 | (new CCol( | ||
81 | (new CButton('remove', _('Remove'))) | ||
82 | - ->onClick('javascript: removeDependentChild(\''.$child['serviceid'].'\');') | ||
83 | - ->addClass(ZBX_STYLE_BTN_LINK) | ||
84 | ->removeId() | ||
85 | + ->addClass(ZBX_STYLE_BTN_LINK) | ||
86 | + ->setAttribute('data-serviceid', $child['serviceid']) | ||
87 | + ->onClick('removeDependentChild(this.dataset.serviceid);') | ||
88 | ))->addClass(ZBX_STYLE_NOWRAP) | ||
89 | ]))->setId('children_'.$child['serviceid']) | ||
90 | ); | ||
91 | -- | ||
92 | 2.25.1 | ||
93 | |||
diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix_5.2.6.bb b/meta-oe/recipes-connectivity/zabbix/zabbix_5.2.6.bb index b5ab15df4..9d2a06c5e 100644 --- a/meta-oe/recipes-connectivity/zabbix/zabbix_5.2.6.bb +++ b/meta-oe/recipes-connectivity/zabbix/zabbix_5.2.6.bb | |||
@@ -26,6 +26,7 @@ PACKAGE_ARCH = "${MACHINE_ARCH}" | |||
26 | SRC_URI = "https://cdn.zabbix.com/zabbix/sources/stable/5.2/${BPN}-${PV}.tar.gz \ | 26 | SRC_URI = "https://cdn.zabbix.com/zabbix/sources/stable/5.2/${BPN}-${PV}.tar.gz \ |
27 | file://0001-Fix-configure.ac.patch \ | 27 | file://0001-Fix-configure.ac.patch \ |
28 | file://zabbix-agent.service \ | 28 | file://zabbix-agent.service \ |
29 | file://0001-.F.-DEV-2077-fixed-reflected-XSS-issues.patch \ | ||
29 | " | 30 | " |
30 | 31 | ||
31 | SRC_URI[md5sum] = "31dab3535a1fa212f5724902727f6d4d" | 32 | SRC_URI[md5sum] = "31dab3535a1fa212f5724902727f6d4d" |