Bug 312875 (CVE-2010-1144)

Summary:	<net-analyzer/zabbix-1.8.6: SQL Injection & Denial of Service (CVE-2010-1144,CVE-2011-{2904,3263})
Product:	Gentoo Security	Reporter:	Ernst Herzberg <earny>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	patrick
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://support.zabbix.com/browse/ZBX-2257
Whiteboard:	B3 [glsa]
Package list:		Runtime testing required:	---

Description Ernst Herzberg 2010-04-02 20:56:19 UTC

"Zabbix API in versions up to 1.8.1 is vulnerable to an SQL Injection attack which can be exploited without any authentication. "

Reproducible: Always

Comment 1 Patrick Lauer gentoo-dev

2010-04-07 13:09:07 UTC

+  07 Apr 2010; Patrick Lauer <patrick@gentoo.org> +zabbix-1.8.2.ebuild:
+  Bump, fixes #312875 #313403. As-needed patch fails for now.

Comment 2 Stefan Behte (RETIRED) gentoo-dev

2010-04-09 16:01:55 UTC

Does that mean it's OK to go stable? If so, please add arches.

Comment 3 Stefan Behte (RETIRED) gentoo-dev

2010-04-10 12:22:20 UTC

Please, it seems Zabbix 1.8.2 has bugs too, we shouldn't stable a vulnerable version.

I'll look into this later.

Comment 4 Matthew Marlowe (RETIRED) gentoo-dev

2011-08-26 04:41:47 UTC

There are no ebuilds for zabbix lower than 1.8.3 in tree....is there any reason this bug needs to stay open?

Comment 5 Agostino Sarubbo gentoo-dev

2011-09-11 00:28:55 UTC

We can skip here because 1.8.6 is stable[1]. Adding glsa vote request.


[1]: See bug 379693

Comment 6 Tim Sammut (RETIRED) gentoo-dev

2011-09-11 02:50:28 UTC

Thanks, folks. GLSA Vote: yes.

Comment 7 GLSAMaker/CVETool Bot gentoo-dev

2011-10-07 22:07:53 UTC

CVE-2011-2904 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2904):
  Cross-site scripting (XSS) vulnerability in acknow.php in Zabbix before
  1.8.6 allows remote attackers to inject arbitrary web script or HTML via the
  backurl parameter.

Comment 8 Stefan Behte (RETIRED) gentoo-dev

2011-10-07 22:08:50 UTC

Yes for both.

Comment 9 GLSAMaker/CVETool Bot gentoo-dev

2011-10-07 23:21:13 UTC

CVE-2011-3263 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3263):
  zabbix_agentd in Zabbix before 1.8.6 and 1.9.x before 1.9.4 allows
  context-dependent attackers to cause a denial of service (CPU consumption)
  by executing the vfs.file.cksum command for a special device, as
  demonstrated by the /dev/urandom device.

Comment 10 GLSAMaker/CVETool Bot gentoo-dev

2011-10-07 23:21:13 UTC

CVE-2011-3263 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3263):
  zabbix_agentd in Zabbix before 1.8.6 and 1.9.x before 1.9.4 allows
  context-dependent attackers to cause a denial of service (CPU consumption)
  by executing the vfs.file.cksum command for a special device, as
  demonstrated by the /dev/urandom device.

Comment 11 Matthew Marlowe (RETIRED) gentoo-dev

2012-01-05 11:16:38 UTC

Security team - do you want to close this bug? 1.8.7 was stabilized fully a few months ago and we're already on to stabilizing 1.8.10.

Comment 12 Sean Amoss (RETIRED) gentoo-dev

2012-01-05 12:33:12 UTC

Matthew, this still needs a GLSA issued. We will include this bug with the GLSA for the others, once 1.8.10-r1 is stable.

Comment 13 Matthew Marlowe (RETIRED) gentoo-dev

2012-03-20 12:23:48 UTC

Was glsa ever issued? can we close? 1.8.10-r1 was marked stable quite awhile ago.

Comment 14 Matthew Marlowe (RETIRED) gentoo-dev

2012-06-20 20:09:59 UTC

Note this is an ancient open security bug.....impacted ebuilds were removed from tree quite awhile ago...and the last request for 1.8.10-r1 to go stable was met and obsoleted via newer stable ebuild.  I would appreciate if security herd could close bug when convenient.

Comment 15 GLSAMaker/CVETool Bot gentoo-dev

2013-11-25 17:53:44 UTC

This issue was resolved and addressed in
 GLSA 201311-15 at http://security.gentoo.org/glsa/glsa-201311-15.xml
by GLSA coordinator Sergey Popov (pinkbyte).