386175 – <net-analyzer/zabbix-1.8.7: Information leak (CVE-2011-3265)

Bug 386175 - <net-analyzer/zabbix-1.8.7: Information leak (CVE-2011-3265)

Summary: <net-analyzer/zabbix-1.8.7: Information leak (CVE-2011-3265)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:	386457
Blocks:
	Show dependency tree

Reported:	2011-10-07 23:26 UTC by GLSAMaker/CVETool Bot
Modified:	2012-03-06 20:17 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2011-10-07 23:26:05 UTC

CVE-2011-3265 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3265):
  popup.php in Zabbix before 1.8.7 allows remote attackers to read the
  contents of arbitrary database tables via a modified srctbl parameter.


Maintainers, can we stabilize a fixed version? 1.8.7 or 1.8.8?

Comment 1 Matthew Marlowe (RETIRED) gentoo-dev

2011-10-08 01:49:25 UTC

Yes, we can stabilize 1.8.7.

Comment 2 Tim Sammut (RETIRED) gentoo-dev

2011-10-08 04:41:48 UTC

Arches, please test and mark stable:
=net-analyzer/zabbix-1.8.7
Target keywords : "amd64 x86"

Comment 3 Agostino Sarubbo gentoo-dev

2011-10-08 10:55:06 UTC

looks perfect on a server, amd64 ok

Comment 4 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2011-10-08 19:35:23 UTC

x86 stable

Comment 5 Ian Delaney (RETIRED) gentoo-dev

2011-10-08 20:48:07 UTC

amd64.

all but for the Bug 386457 which warrants a blocker.  Otherwise ok

Comment 6 Matthew Marlowe (RETIRED) gentoo-dev

2011-10-09 05:15:40 UTC

Committed probable fix to bug #386457 via r1 bumps of the 1.8.7 and 1.8.8 ebuilds.

Comment 7 Agostino Sarubbo gentoo-dev

2011-10-09 10:41:27 UTC

(In reply to comment #6)
> Committed probable fix to bug #386457 via r1 bumps of the 1.8.7 and 1.8.8
> ebuilds.

Good job, anyway isn't a regression and the target is always 1.8.7.

Comment 8 Markos Chandras (RETIRED) gentoo-dev

2011-10-09 14:29:05 UTC

(In reply to comment #7)
> (In reply to comment #6)
> > Committed probable fix to bug #386457 via r1 bumps of the 1.8.7 and 1.8.8
> > ebuilds.
> 
> Good job, anyway isn't a regression and the target is always 1.8.7.

Can we do -r1 instead?

Comment 9 Tim Sammut (RETIRED) gentoo-dev

2011-10-09 23:44:01 UTC

(In reply to comment #8)
> 
> Can we do -r1 instead?

Normally we'd stick with r0, but to minimize churn and user problems, I'll let the maintainers decide. Matthew or Patrick, should we move forward with r0 or stabilize r1? Thanks.

Comment 10 Matthew Marlowe (RETIRED) gentoo-dev

2011-10-10 03:09:48 UTC

From a maintainer perspective, we'd always like the most fixed up ebuild stabilized which would be r1 now, but we're fine with however security handles it......zabbix has frequent updates so there is a new stable no less often than every 90 days and sometimes once/month.

Comment 11 Tim Sammut (RETIRED) gentoo-dev

2011-10-10 03:22:37 UTC

Ok, thanks. Let's just go with -r1; readding x86.

Arches, please test and mark stable:
=net-analyzer/zabbix-1.8.7-r1
Target keywords : "amd64 x86"

Comment 12 Andreas Schürch gentoo-dev

2011-10-14 06:42:16 UTC

zabbix-1.8.7-r1 stable on x86.

Comment 13 Markos Chandras (RETIRED) gentoo-dev

2011-10-15 20:02:46 UTC

amd64 done

Comment 14 Tim Sammut (RETIRED) gentoo-dev

2011-10-15 23:46:22 UTC

Thanks, folks. GLSA Vote: yes.

Comment 15 Stefan Behte (RETIRED) gentoo-dev

2011-11-01 17:17:50 UTC

Vote: NO.

Comment 16 Sean Amoss (RETIRED) gentoo-dev

2012-03-06 20:17:21 UTC

Vote: no, too. 

Closing noglsa