Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 598762 (CVE-2016-9140) - <net-analyzer/zabbix-{2.2.16,3.0.6,3.2.2}: API JSON-RPC remote code execution
Summary: <net-analyzer/zabbix-{2.2.16,3.0.6,3.2.2}: API JSON-RPC remote code execution
Status: RESOLVED FIXED
Alias: CVE-2016-9140
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://support.zabbix.com/browse/ZBX...
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-11-02 10:44 UTC by Agostino Sarubbo
Modified: 2016-12-14 10:30 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-11-02 10:44:28 UTC 
From ${URL} :

Zabbix versions between 2.2 and 3.0.3 are vulnerable to remote code execution.

References:

https://www.exploit-db.com/exploits/39937/

CVE assignment:

http://seclists.org/oss-sec/2016/q4/298


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-28 01:41:26 UTC 
@ Maintainer(s): We are waiting for upstream's release of v2.0.16, v3.0.6, v3.2.2 and v3.3.0 or your backport/cherry-pick (patches are available, see $URL).
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-03 13:44:29 UTC 
Added to existing GLSA.

Still waiting for the upstream release of v2.1.16.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-08 01:42:51 UTC 
@ Maintainer(s): Upstream has released all three versions we are waiting for. Please bump to

=net-analyzer/zabbix-2.2.16
=net-analyzer/zabbix-3.0.6
=net-analyzer/zabbix-3.2.2
Comment 4 Patrick Lauer gentoo-dev 2016-12-08 07:06:33 UTC 
Ebuilds for all three branches have been committed.
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-08 12:44:16 UTC 
@ Arches,

please test and mark stable: =net-analyzer/zabbix-2.2.16
Comment 6 Agostino Sarubbo gentoo-dev 2016-12-13 11:06:20 UTC 
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-12-13 11:31:43 UTC 
x86 stable.

Maintainer(s), please cleanup.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2016-12-13 11:42:46 UTC 
This issue was resolved and addressed in
 GLSA 201612-42 at https://security.gentoo.org/glsa/201612-42
by GLSA coordinator Aaron Bauman (b-man).
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2016-12-13 11:43:41 UTC 
@maintainer(s), reopened for cleanup...