Summary: | <net-analyzer/zabbix-2.0.8: Improper use of cURL API might lead to improper SSL certificate verification (MiTM) (CVE-2012-6086) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | mattm |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=892685 | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2013-01-07 19:19:41 UTC
I've commented on the upstream bug report and hopefully they'll have this fixed soon. Have to wait on them. Commented on upstream bug again, if no response soon will update ebuild to require earlier versions of curl. zabbix-2.0.6-r5 which was just committed to cvs places restrictions on curl version dependencies, this will be a stopgap measure until upstream fixes ZBX-5924. resolved in version 2.0.8 [https://support.zabbix.com/browse/ZBX-5924] All zabbix versions prior to 2.0.8 have been removed. Curl issues should be resolved. Closing. GLSA vote: no. GLSA vote: no Closing as noglsa CVE-2012-6086 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6086): libs/zbxmedia/eztexting.c in Zabbix 1.8.x before 1.8.18rc1, 2.0.x before 2.0.8rc1, and 2.1.x before 2.1.2 does not properly set the CURLOPT_SSL_VERIFYHOST option for libcurl, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |