Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 452878 (CVE-2013-1364)

Summary: <net-analyzer/zabbix-{1.8.16,2.0.4-r1}: ldap vulnerabilities ZBX-6097 (CVE-2013-1364)
Product: Gentoo Security Reporter: Matthew Marlowe (RETIRED) <mattm>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: mattm
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://support.zabbix.com/browse/ZBX-6097
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---

Description Matthew Marlowe (RETIRED) gentoo-dev 2013-01-18 22:52:39 UTC 
Recent zabbix versions prior to 1.8.16 and all 2.0.x releases are susceptible to a significant ldap authentication vulnerability:

https://support.zabbix.com/browse/ZBX-6097

I was contacted by upstream and advised that patches and fixes were on the way.

I've already bumped and committed 1.8.16 with ~amd64/~x86 keywords.  In a few days, I will remove 1.8.15 and prior ebuilds.

I've also put out a patched 2.0.4 as 2.0.4-r1 ebuild, this has no keywords yet as I am testing it.  If tests go well, I'll put it ~amd64/~x86 and it will eventually become our new latest stable.  1.8.16 is being kept solely for those who can not upgrade to 2.0.x for their own reasons.

Fedora has already released their own package updates - but I haven't seen any other distribution security announcements for this CVE.
Comment 1 Sean Amoss (RETIRED) gentoo-dev Security 2013-01-27 16:20:53 UTC 
Thanks for the report, Matthew.

Are one of these versions ready for stabilization?
Comment 2 Matthew Marlowe (RETIRED) gentoo-dev 2013-01-27 19:39:02 UTC 
2.0.4-r1 was keyworded for testing a few days ago...I have been waiting on any bug reports and have yet to receive any....Assuming no problems, it should become the new stable.
Comment 3 Matthew Marlowe (RETIRED) gentoo-dev 2013-02-11 01:56:24 UTC 
Let's go ahead and stabilize 2.0.4-r1 now then....I haven't received any new bug reports for it since it was put in ~amd64/~x86 weeks ago. We'll leave 1.8.16 in testing and eventually remove 1.8.15
Comment 4 Agostino Sarubbo gentoo-dev 2013-02-11 21:29:40 UTC 
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-02-11 21:31:11 UTC 
x86 stable
Comment 6 Sean Amoss (RETIRED) gentoo-dev Security 2013-02-24 13:22:23 UTC 
GLSA vote: yes.
Comment 7 Sean Amoss (RETIRED) gentoo-dev Security 2013-10-10 17:18:56 UTC 
Added to existing GLSA draft.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2013-11-25 17:53:52 UTC 
This issue was resolved and addressed in
 GLSA 201311-15 at http://security.gentoo.org/glsa/glsa-201311-15.xml
by GLSA coordinator Sergey Popov (pinkbyte).
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2013-12-27 00:21:28 UTC 
CVE-2013-1364 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1364):
  The user.login function in Zabbix before 1.8.16 and 2.x before 2.0.5rc1
  allows remote attackers to override LDAP configuration via the cnf
  parameter.