Summary: | <net-analyzer/zabbix-{3.0.31-r1, 4.0.22, 5.0.2}: Stored XSS Vulnerability (CVE-2020-15803) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | alicef, fordfrog, patrick |
Priority: | Normal | Flags: | nattka:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://support.zabbix.com/browse/ZBX-18057 | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=733050 | ||
Whiteboard: | B4 [noglsa cve] | ||
Package list: |
=net-analyzer/zabbix-5.0.2 amd64 x86
=net-analyzer/zabbix-4.0.22 amd64 x86
=net-analyzer/zabbix-3.0.31-r1 amd64 x86
|
Runtime testing required: | --- |
Description
John Helmert III
2020-07-18 04:26:47 UTC
afaics there is no 3.0.32 released yet. otherwise we have the latest versions bumped (just yesterday) but imo they can be stabilized. (In reply to Miroslav Šulc from comment #1) > afaics there is no 3.0.32 released yet. otherwise we have the latest > versions bumped (just yesterday) but imo they can be stabilized. Yeah, looks like that. i just added the versions we already have for stabilization. imo there's no need to wait. anyway, we still don't have that 3.0.32 as it was not released yet. x86 stable (In reply to Miroslav Šulc from comment #3) > i just added the versions we already have for stabilization. imo there's no > need to wait. anyway, we still don't have that 3.0.32 as it was not released > yet. An alternative would be to drop the 3.x version since we appear to have several newer branches in-tree. Any reason to keep it in-tree and wait for upstream on it? (In reply to John Helmert III (ajak) from comment #5) > (In reply to Miroslav Šulc from comment #3) > > i just added the versions we already have for stabilization. imo there's no > > need to wait. anyway, we still don't have that 3.0.32 as it was not released > > yet. > > An alternative would be to drop the 3.x version since we appear to have > several newer branches in-tree. Any reason to keep it in-tree and wait for > upstream on it? i'm just sticking to what upstream does, which is they keep all these versions as lts (except 4.4): https://www.zabbix.com/download_sources#tab:30LTS amd64 stable The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6a2fdd0c7f29d5880b0fbe6bc4b055d1de30d5d1 commit 6a2fdd0c7f29d5880b0fbe6bc4b055d1de30d5d1 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2020-07-28 08:39:42 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2020-07-28 08:39:42 +0000 net-analyzer/zabbix: removed old and vulnerable 4.0.21 4.4.9 5.0.1 Bug: https://bugs.gentoo.org/733118 Package-Manager: Portage-3.0.1, Repoman-2.3.23 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> net-analyzer/zabbix/Manifest | 3 - net-analyzer/zabbix/zabbix-4.0.21.ebuild | 350 ------------------------------- net-analyzer/zabbix/zabbix-4.4.9.ebuild | 347 ------------------------------ net-analyzer/zabbix/zabbix-5.0.1.ebuild | 347 ------------------------------ 4 files changed, 1047 deletions(-) sorry for the delay, i did not notice all archs are stabilized. upstream still did not release 3.0.32. Unable to check for sanity:
> no match for package: =net-analyzer/zabbix-4.4.10
4.4* is not supported by upstream anymore so i removed that one from the tree. (In reply to Miroslav Šulc from comment #9) > sorry for the delay, i did not notice all archs are stabilized. upstream > still did not release 3.0.32. No worries at all -- you're uber responsive all of the time, and I forgot to ask to cleanup anyway! I think we're still waiting on 3.0.32 but the rest are OK. i tried to find the commit that fixes it in the upstream repo so that i could apply just that patch to 3.0.31 but i can't see it. in fact i can't see any commit between 3.0.31 and 3.0.32rc1. the repo is here: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits?until=refs%2Fheads%2Frelease%2F3.0 (In reply to Miroslav Šulc from comment #13) > i tried to find the commit that fixes it in the upstream repo so that i > could apply just that patch to 3.0.31 but i can't see it. in fact i can't > see any commit between 3.0.31 and 3.0.32rc1. the repo is here: > https://git.zabbix.com/projects/ZBX/repos/zabbix/ > commits?until=refs%2Fheads%2Frelease%2F3.0 From https://support.zabbix.com/browse/ZBX-18057?focusedCommentId=439120&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-439120, I think it's: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/cbbbf09ae6b (not sure why I did not notice this sooner) (In reply to Sam James from comment #14) > (In reply to Miroslav Šulc from comment #13) > > i tried to find the commit that fixes it in the upstream repo so that i > > could apply just that patch to 3.0.31 but i can't see it. in fact i can't > > see any commit between 3.0.31 and 3.0.32rc1. the repo is here: > > https://git.zabbix.com/projects/ZBX/repos/zabbix/ > > commits?until=refs%2Fheads%2Frelease%2F3.0 > > From > https://support.zabbix.com/browse/ZBX-18057?focusedCommentId=439120&page=com. > atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment- > 439120, I think it's: > > https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/cbbbf09ae6b > > (not sure why I did not notice this sooner) thanks :-) i have to leave now and won't be at pc whole day, will get and apply the patch tomorrow. (In reply to Miroslav Šulc from comment #15) > thanks :-) i have to leave now and won't be at pc whole day, will get and > apply the patch tomorrow. No worries! The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=43e5d720ddda22f747772ffe6cfab9b2362ed0f6 commit 43e5d720ddda22f747772ffe6cfab9b2362ed0f6 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2020-07-30 08:24:38 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2020-07-30 08:25:00 +0000 net-analyzer/zabbix: fixed CVE-2020-15803 in 3.0.31-r1 Bug: https://bugs.gentoo.org/733118 Package-Manager: Portage-3.0.1, Repoman-2.3.23 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> .../files/zabbix-3.0.31-fix-cve-2020-15803.patch | 83 +++++ net-analyzer/zabbix/zabbix-3.0.31-r1.ebuild | 351 +++++++++++++++++++++ 2 files changed, 434 insertions(+) please stabilize newly added 3.0.31-r1 (contains patch that should fix the cve). amd64 stable x86 stable. Maintainer(s), please cleanup. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5a6e082349adea21e3a5d416eac8f7e491d5c2a commit b5a6e082349adea21e3a5d416eac8f7e491d5c2a Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2020-08-05 14:26:41 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2020-08-05 14:26:41 +0000 net-analyzer/zabbix: removed vulnerable 3.0.31 Bug: https://bugs.gentoo.org/733118 Package-Manager: Portage-3.0.1, Repoman-2.3.23 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> net-analyzer/zabbix/zabbix-3.0.31.ebuild | 350 ------------------------------- 1 file changed, 350 deletions(-) we're clean now (In reply to Miroslav Šulc from comment #22) > we're clean now Thanks a bunch. All done, closing! |