Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 598762 (CVE-2016-9140)

Summary: <net-analyzer/zabbix-{2.2.16,3.0.6,3.2.2}: API JSON-RPC remote code execution
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: alicef, patrick
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also:
Whiteboard: B2 [glsa cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2016-11-02 10:44:28 UTC
From ${URL} :

Zabbix versions between 2.2 and 3.0.3 are vulnerable to remote code execution.


CVE assignment:

@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann gentoo-dev Security 2016-11-28 01:41:26 UTC
@ Maintainer(s): We are waiting for upstream's release of v2.0.16, v3.0.6, v3.2.2 and v3.3.0 or your backport/cherry-pick (patches are available, see $URL).
Comment 2 Thomas Deutschmann gentoo-dev Security 2016-12-03 13:44:29 UTC
Added to existing GLSA.

Still waiting for the upstream release of v2.1.16.
Comment 3 Thomas Deutschmann gentoo-dev Security 2016-12-08 01:42:51 UTC
@ Maintainer(s): Upstream has released all three versions we are waiting for. Please bump to

Comment 4 Patrick Lauer gentoo-dev 2016-12-08 07:06:33 UTC
Ebuilds for all three branches have been committed.
Comment 5 Thomas Deutschmann gentoo-dev Security 2016-12-08 12:44:16 UTC
@ Arches,

please test and mark stable: =net-analyzer/zabbix-2.2.16
Comment 6 Agostino Sarubbo gentoo-dev 2016-12-13 11:06:20 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-12-13 11:31:43 UTC
x86 stable.

Maintainer(s), please cleanup.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2016-12-13 11:42:46 UTC
This issue was resolved and addressed in
 GLSA 201612-42 at
by GLSA coordinator Aaron Bauman (b-man).
Comment 9 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-12-13 11:43:41 UTC
@maintainer(s), reopened for cleanup...