Summary: | <net-analyzer/zabbix-1.8.6 Cross-Site Scripting Vulnerability (CVE-2011-{2904,3264}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | djc, mattm, patrick |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://support.zabbix.com/browse/ZBX-3835 | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2011-08-18 10:43:42 UTC
Updated ebuild fixing this security vulnerability has been committed in testing mode for the relevant arches in portage: <CIA-100> mattm * gentoo-x86/net-analyzer/zabbix/ (ChangeLog zabbix-1.8.6.ebuild): <CIA-100> Bump Zabbix 1.8.6, Fix Security Bug #379693 <CIA-100> (Portage version: 2.1.10.11/cvs/Linux x86_64) <willikins> CIA-100: https://bugs.gentoo.org/379693 "<net-analyzer/zabbix-1.8.6 Cross-Site Scripting Vulnerability"; Gentoo Security, Vulnerabilities; IN_P; ago:security Thanks Matthew; arches, please test and mark stable: =net-analyzer/zabbix-1.8.6 target KEYWORDS : "amd64 ppc x86" ok on server environment, so bug 376865 is also valid for 1.8.6 (if maintainer wants fix) amd64 ok x86 stable amd64: pass. NB: I think there should be someway to alert the use of multiple databases instead of a make failure. ppc keywords dropped > ok on server environment, so bug 376865 is also valid for 1.8.6 (if maintainer
> wants fix)
>
Thanks -- haven't had a chance to look at that bug yet, just recently took over maintenance of this package from Patrick. I'll try to get around to that bug in near future, but I don't think it warrants any delays in stabilizing security bug.
(In reply to comment #5) > amd64: pass. > > NB: I think there should be someway to alert the use of multiple databases > instead of a make failure. Agreed -- the database logic seemed a little wierd to me on the ebuild too, I just took over maintenance of the package so I will look at it later, but I don't think this is an issue that should get in the way of stabilizing security fix, especially as the current stable ebuild has same logic. + 28 Aug 2011; Tony Vroon <chainsaw@gentoo.org> zabbix-1.8.6.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & + Elijah El Lazkani in security bug #379693. Stabilisation is complete. Security, please initiate GLSA voting procedures. Thanks, Tony, folks. No vote is required for XSS vulnerabilities. Closing noglsa for XSS. CVE-2011-3264 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3264): Zabbix before 1.8.6 allows remote attackers to obtain sensitive information via an invalid srcfld2 parameter to popup.php, which reveals the installation path in an error message. |