CVE-2011-3265 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3265): popup.php in Zabbix before 1.8.7 allows remote attackers to read the contents of arbitrary database tables via a modified srctbl parameter. Maintainers, can we stabilize a fixed version? 1.8.7 or 1.8.8?
Yes, we can stabilize 1.8.7.
Arches, please test and mark stable: =net-analyzer/zabbix-1.8.7 Target keywords : "amd64 x86"
looks perfect on a server, amd64 ok
x86 stable
amd64. all but for the Bug 386457 which warrants a blocker. Otherwise ok
Committed probable fix to bug #386457 via r1 bumps of the 1.8.7 and 1.8.8 ebuilds.
(In reply to comment #6) > Committed probable fix to bug #386457 via r1 bumps of the 1.8.7 and 1.8.8 > ebuilds. Good job, anyway isn't a regression and the target is always 1.8.7.
(In reply to comment #7) > (In reply to comment #6) > > Committed probable fix to bug #386457 via r1 bumps of the 1.8.7 and 1.8.8 > > ebuilds. > > Good job, anyway isn't a regression and the target is always 1.8.7. Can we do -r1 instead?
(In reply to comment #8) > > Can we do -r1 instead? Normally we'd stick with r0, but to minimize churn and user problems, I'll let the maintainers decide. Matthew or Patrick, should we move forward with r0 or stabilize r1? Thanks.
From a maintainer perspective, we'd always like the most fixed up ebuild stabilized which would be r1 now, but we're fine with however security handles it......zabbix has frequent updates so there is a new stable no less often than every 90 days and sometimes once/month.
Ok, thanks. Let's just go with -r1; readding x86. Arches, please test and mark stable: =net-analyzer/zabbix-1.8.7-r1 Target keywords : "amd64 x86"
zabbix-1.8.7-r1 stable on x86.
amd64 done
Thanks, folks. GLSA Vote: yes.
Vote: NO.
Vote: no, too. Closing noglsa