[Buildroot] [PATCH] package/zabbix: security bump to v7.2.13
Julien Olivain
ju.o at free.fr
Fri Oct 10 16:36:22 UTC 2025
On 10/10/2025 18:20, Thomas Perale via buildroot wrote:
> For more details on the version bump, see:
> - https://www.zabbix.com/rn/rn7.2.13
> - https://www.zabbix.com/rn/rn7.2.12
> - https://www.zabbix.com/rn/rn7.2.11
> - https://www.zabbix.com/rn/rn7.2.10
> - https://www.zabbix.com/rn/rn7.2.9
> - https://www.zabbix.com/rn/rn7.2.8
> - https://www.zabbix.com/rn/rn7.2.7
> - https://www.zabbix.com/rn/rn7.2.6
>
> Fixes the following vulnerabilities:
>
> - CVE-2025-27231
>
> The LDAP 'Bind password' value cannot be read after saving, but a
> Super Admin account can leak it by changing LDAP 'Host' to a rogue
> LDAP server. To mitigate this, the 'Bind password' value is now
> reset on 'Host' change.
>
> For more information, see:
> - https://support.zabbix.com/browse/ZBX-27062
> - https://nvd.nist.gov/vuln/detail/CVE-2025-27231
>
> - CVE-2025-27236
>
> A regular Zabbix user can search other users in their user group
> via
> Zabbix API by select fields the user does not have access to view.
> This allows data-mining some field values the user does not have
> access to.
>
> For more information, see:
> - https://support.zabbix.com/browse/ZBX-27060
> - https://nvd.nist.gov/vuln/detail/CVE-2025-27236
>
> - CVE-2025-27238
>
> Due to a bug in Zabbix API, the hostprototype.get method lists all
> host prototypes to users that do not have any user groups assigned
> to them.
>
> For more information, see:
> - https://nvd.nist.gov/vuln/detail/CVE-2025-27238
> - https://support.zabbix.com/browse/ZBX-26988
>
> - CVE-2025-49641
>
> A regular Zabbix user with no permission to the Monitoring ->
> Problems view is still able to call the problem.view.refresh action
> and therefore still retrieve a list of active problems.
>
> For more information, see:
> - https://support.zabbix.com/browse/ZBX-27063
> - https://nvd.nist.gov/vuln/detail/CVE-2025-49641
>
> Signed-off-by: Thomas Perale <thomas.perale at mind.be>
Applied to master, thanks.
More information about the buildroot
mailing list