"Zabbix API in versions up to 1.8.1 is vulnerable to an SQL Injection attack which can be exploited without any authentication. " Reproducible: Always
+ 07 Apr 2010; Patrick Lauer <patrick@gentoo.org> +zabbix-1.8.2.ebuild: + Bump, fixes #312875 #313403. As-needed patch fails for now.
Does that mean it's OK to go stable? If so, please add arches.
Please, it seems Zabbix 1.8.2 has bugs too, we shouldn't stable a vulnerable version. I'll look into this later.
There are no ebuilds for zabbix lower than 1.8.3 in tree....is there any reason this bug needs to stay open?
We can skip here because 1.8.6 is stable[1]. Adding glsa vote request. [1]: See bug 379693
Thanks, folks. GLSA Vote: yes.
CVE-2011-2904 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2904): Cross-site scripting (XSS) vulnerability in acknow.php in Zabbix before 1.8.6 allows remote attackers to inject arbitrary web script or HTML via the backurl parameter.
Yes for both.
CVE-2011-3263 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3263): zabbix_agentd in Zabbix before 1.8.6 and 1.9.x before 1.9.4 allows context-dependent attackers to cause a denial of service (CPU consumption) by executing the vfs.file.cksum command for a special device, as demonstrated by the /dev/urandom device.
Security team - do you want to close this bug? 1.8.7 was stabilized fully a few months ago and we're already on to stabilizing 1.8.10.
Matthew, this still needs a GLSA issued. We will include this bug with the GLSA for the others, once 1.8.10-r1 is stable.
Was glsa ever issued? can we close? 1.8.10-r1 was marked stable quite awhile ago.
Note this is an ancient open security bug.....impacted ebuilds were removed from tree quite awhile ago...and the last request for 1.8.10-r1 to go stable was met and obsoleted via newer stable ebuild. I would appreciate if security herd could close bug when convenient.
This issue was resolved and addressed in GLSA 201311-15 at http://security.gentoo.org/glsa/glsa-201311-15.xml by GLSA coordinator Sergey Popov (pinkbyte).