CVE-2007-6210 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6210): zabbix_agentd 1.1.4 in ZABBIX runs "UserParameter" scripts with gid 0, which might allow local users to gain privileges.
I assume other versions than mentioned in the tree are also affected. Wolfram, please advise.
I have switched net-analyzer/zabbix-{agent,frontend,server} to net-analyzer/zabbix (with some USE flags) a while ago, and net-analyzer/zabbix-1.4.2-r1 already contains a fix. There is an issue with the new-style single zabbix package though, as it depends on webapp-config due to webapp.eclass inheritance (because of the web frontend) -- people tend to dislike having to install webapp-config on a machine where they only want to install the agent (using USE="agent -frontend -server"). Well. I don't really want to update the old ebuilds now, but I'm not sure whether it's the best idea to force their users to the new one either :o)
Thanks a lot, closing then.
(In reply to comment #2) > Well. I don't really want to update the old ebuilds now, but I'm > not sure whether it's the best idea to force their users to the > new one either :o) Well, it's an ~arch ebuild. No need to support older versions :-) If it works better for you, adding one dependency should not be a problem.
Oh, one question left: When will the old style zabbix go away and how do you get users to migrate?