| Summary: | <net-analyzer/zabbix-{2.2.16,3.0.6,3.2.2}: API JSON-RPC remote code execution | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | alicef, patrick |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://support.zabbix.com/browse/ZBX-11483 | ||
| See Also: | https://bugzilla.redhat.com/show_bug.cgi?id=1390904 | ||
| Whiteboard: | B2 [glsa cve] | ||
| Package list: | Runtime testing required: | --- | |
@ Maintainer(s): We are waiting for upstream's release of v2.0.16, v3.0.6, v3.2.2 and v3.3.0 or your backport/cherry-pick (patches are available, see $URL). Added to existing GLSA. Still waiting for the upstream release of v2.1.16. @ Maintainer(s): Upstream has released all three versions we are waiting for. Please bump to =net-analyzer/zabbix-2.2.16 =net-analyzer/zabbix-3.0.6 =net-analyzer/zabbix-3.2.2 Ebuilds for all three branches have been committed. @ Arches, please test and mark stable: =net-analyzer/zabbix-2.2.16 amd64 stable x86 stable. Maintainer(s), please cleanup. This issue was resolved and addressed in GLSA 201612-42 at https://security.gentoo.org/glsa/201612-42 by GLSA coordinator Aaron Bauman (b-man). @maintainer(s), reopened for cleanup... |
From ${URL} : Zabbix versions between 2.2 and 3.0.3 are vulnerable to remote code execution. References: https://www.exploit-db.com/exploits/39937/ CVE assignment: http://seclists.org/oss-sec/2016/q4/298 @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.