From the Red Hat bug at $URL: 'An SQL injection flaw was found in Zabbix, where input passed via the "itemid" parameter to popup_bitem.php is not properly sanitized before being used in an SQL query. The report was against version 2.0.1, but the upstream bug report [1] indicates this also affects 1.8.x. Upstream has patched [2] this, and there is a potential patch for 1.8.x [3].' [1] https://support.zabbix.com/browse/ZBX-5348 [2] http://git.zabbixzone.com/zabbix2.0/.git/commit/333a3a5542ba8a2c901c24b7bf5440f41f1f4f54 [3] https://gist.github.com/3181678
I've requested info on the zabbix irc channel if the upstream plans to release 2.0.2 as an urgent fix. If not, it appears that 2.0.2rc2 includes the fix so we can commit and stablize that as alternative path. I'll have to review the 1.8.x patch to see if we want to apply that. I haven't heard anything about a new 1.8.x release being scheduled. Thanks for catching this bug. I've sent an inquiry to verify how zabbix is notifying distros of security vulnerabilities.
Per Zabbix Devs - Official 2.0.2 release will be out early this week. I'll bump it and remove the earlier 2.0.x ebuilds when it comes out. No word yet on whether a new 1.8.x release is scheduled.
1.8.15 should be released soon with fix for 1.8.x releases. 2.0.2 was released today - bump in CVS. I'll want to do more testing and incorporate other bug fixes in an r1 release, but for the time being it has the security patch, is marked for testing arches, and I've removed all older 2.0.x ebuilds. None of the prior 2.0.x releases have yet reached stable status. When 1.8.15 is released, it will become the new stable and all older 1.8.x ebuilds will be removed.
CVE-2012-3435 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3435): SQL injection vulnerability in frontends/php/popup_bitem.php in Zabbix 1.8.15rc1 and earlier, and 2.x before 2.0.2rc1, allows remote attackers to execute arbitrary SQL commands via the itemid parameter.
1.8.15 and 2.0.2-r1 are in tree. Neither are ready yet to be declared stable. Older ebuilds have been removed - to my knowledge nothing depends on Zabbix being stable. With a little more testing, we should be able to stabilize 1.8.15 however it was just released yesterday so I'll want to wait at least a few days to ensure it didn't introduce any obvious bugs.
Ok, but we should not wait too long. Now that previous stable versions are gone stable users will have issues running 'emerge --update' methinks.
Matthew, ok to stabilize now? Thanks.
It builds fine here and I haven't seen any new bugs since we bumped 1.8.15, so sure - let's go ahead and stabilize it so that those currently on stable have something secure to switch to.
Ok, thanks. Arches, please test and mark stable: =net-analyzer/zabbix-1.8.15 Target keywords : "amd64 x86"
x86 stable
amd64 stable
security, please vote.
Thanks, folks. GLSA Vote: yes.
Added to existing GLSA request.
(In reply to comment #14) > Added to existing GLSA request. I'm not seeing any information on a new vulnerability here... There are references to newer versions in title but CVE-2012-3435 was resolved prior. Which CVE should I be looking at?
This issue was resolved and addressed in GLSA 201311-15 at http://security.gentoo.org/glsa/glsa-201311-15.xml by GLSA coordinator Sergey Popov (pinkbyte).