zabbix (1:4.0.4+dfsg-1+deb10u2) buster-security; urgency=medium

  This update addresses several security vulnerabilties:

  CVE-2013-7484 (Insecure storage of passwords)
    A stronger bcrypt cryptography is now used for hashing user passwords
    instead of MD5. The change to the stronger cryptography after the upgrade
    is automatic, i.e. no effort on the user side is required. Note that
    passwords longer than 72 characters will be truncated.

    However, this requires a database scheme update, so downgrades to older
    Debian zabbix versions or non-Debian versions less than 5.0.0 might not be
    possible.

  CVE-2019-17382 (Disputed upstream as not a security issue)
    The guest user can access dashboards which might contain sensitive
    information. It is recommended to disable the guest user, if the user
    is not needed, by disabling the "Guest group" in the UI:
      Administration -> User groups -> Guests -> Untick Enabled

 -- Tobias Frost <tobi@debian.org>  Tue, 22 Aug 2023 11:57:54 +0200
