Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 534606 (CVE-2014-9450)

Summary: <net-analyzer/zabbix-2.2.8: Multiple SQL injection vulnerabilities (CVE-2014-9450)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: axiator, cyberbat83, mattm, patrick
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2015-01-04 13:15:22 UTC 
CVE-2014-9450 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9450):
  Multiple SQL injection vulnerabilities in chart_bar.php in the frontend in
  Zabbix before 1.8.22, 2.0.x before 2.0.14, and 2.2.x before 2.2.8 allow
  remote attackers to execute arbitrary SQL commands via the (1) itemid or (2)
  periods parameter.
Comment 1 cyberbat 2015-01-27 23:33:06 UTC 
I'm sorry, but we still have no fixed version in portage. I'm even not talking about stabilization of it.
Comment 2 Matthew Marlowe (RETIRED) gentoo-dev 2015-01-28 22:35:36 UTC 
I'll have updated zabbix ebuilds out soon...apologies for delay, my home workstation has been going through a rebuild process over the last month which has kept me from performing the normal gentoo stuff...dev system switched from a 2006ish board with a single old dual core pentium cpu with 8gb ram to a 12 core modern zeon with 64gb ram.
Comment 3 Marc Schiffbauer gentoo-dev 2015-04-30 07:46:02 UTC 
What is the progress here? As I see it we have several versions in tree that suffer from that CVE, here IMO 2.2.8 must be stabilized quickly.

Please act.
Comment 4 Matthew Marlowe (RETIRED) gentoo-dev 2015-05-06 21:49:47 UTC 
2.2.9 and 2.4.5 are in now in tree.  
2.0.14 remains for users of a legacy release that can not upgrade.
2.2.5 also remains as it is the current stable.

Other users are reporting that 2.4.5 works well for them, there are very few bug reports for the 2.4.x set of releases, and this is where upstream is putting most of their effort, so unless there are new bug reports...in a week or two,I'll recommend that we mark 2.4.5 as the new stable and remove the old 2.2.5 stable.  We'll keep 2.2.9 with unstable keywords around for those who either do not or can not upgrade to 2.4.x
Comment 5 Opportunist 2015-05-16 15:00:58 UTC 
2.4.5 works great for me on AMD64, thanks.
Comment 6 Robert Förster 2016-05-08 14:28:44 UTC 
so whats the uphold here? actually, i would aim for a 2.2 branch stabilization here since 2.4 has a shorter support cycle upstream and I'd like to prevent unneeded upgrades.

yes im not the maintainer but I'd aim for it, i just would love to see this fixed first since a fixed version is in the tree for a while (2.2.9 or 2.2.11)
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-03 13:51:51 UTC 
First fixed version which appeared in Gentoo repository was  https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-analyzer/zabbix/zabbix-2.2.8.ebuild?hideattic=0&view=log

All done: Current stable version in repository is =net-analyzer/zabbix-2.2.15; no vulnerable version left.


@ Security: Please vote (could be added to an existing GLSA)!
Comment 8 Aaron Bauman (RETIRED) gentoo-dev 2016-12-06 14:54:46 UTC 
GLSA Vote: No