| Summary: | <net-analyzer/zabbix-{2.0.9-r1, 2.2.0-r4} : Shell command injection (CVE-2013-6824) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Matthew Marlowe (RETIRED) <mattm> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | major | CC: | mattm |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://support.zabbix.com/browse/ZBX-7479 | ||
| Whiteboard: | C1 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Matthew Marlowe (RETIRED)
2013-12-03 18:38:30 UTC
Updated ebuilds in CVS - waiting to test after they reach rsync servers before requesting stabilization. Fixed versions: 2.0.9-r1 2.2.0-r4 Please advise when you are ready to go stable. Let's go ahead and stabilize 2.0.9-r1 It compiles/installs here, haven't had much time to test it but we haven't had any new bugs reports for it or it's immediate predecessor which was in ~arch for several days. The other bumped ebuild 2.2.0-r1 also installed/compiled fine here, so I have no reason yet to think the upstream patch introduced any problems. Arches, please test and mark stable: =net-analyzer/zabbix-2.0.9-r1 Target Keywords : "amd64 x86" amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. Cleanup done. CVE-2013-6824 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6824): Zabbix before 1.8.19rc1, 2.0 before 2.0.10rc1, and 2.2 before 2.2.1rc1 allows remote Zabbix servers and proxies to execute arbitrary commands via a newline in a flexible user parameter. This issue was resolved and addressed in GLSA 201401-26 at http://security.gentoo.org/glsa/glsa-201401-26.xml by GLSA coordinator Sergey Popov (pinkbyte). |
