Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 312875 (CVE-2010-1144) - <net-analyzer/zabbix-1.8.6: SQL Injection & Denial of Service (CVE-2010-1144,CVE-2011-{2904,3263})
Summary: <net-analyzer/zabbix-1.8.6: SQL Injection & Denial of Service (CVE-2010-1144,...
Status: RESOLVED FIXED
Alias: CVE-2010-1144
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://support.zabbix.com/browse/ZBX...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-04-02 20:56 UTC by Ernst Herzberg
Modified: 2013-11-25 17:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ernst Herzberg 2010-04-02 20:56:19 UTC
"Zabbix API in versions up to 1.8.1 is vulnerable to an SQL Injection attack which can be exploited without any authentication. "

Reproducible: Always
Comment 1 Patrick Lauer gentoo-dev 2010-04-07 13:09:07 UTC
+  07 Apr 2010; Patrick Lauer <patrick@gentoo.org> +zabbix-1.8.2.ebuild:
+  Bump, fixes #312875 #313403. As-needed patch fails for now.
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2010-04-09 16:01:55 UTC
Does that mean it's OK to go stable? If so, please add arches.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2010-04-10 12:22:20 UTC
Please, it seems Zabbix 1.8.2 has bugs too, we shouldn't stable a vulnerable version.

I'll look into this later.
Comment 4 Matthew Marlowe gentoo-dev 2011-08-26 04:41:47 UTC
There are no ebuilds for zabbix lower than 1.8.3 in tree....is there any reason this bug needs to stay open?
Comment 5 Agostino Sarubbo gentoo-dev 2011-09-11 00:28:55 UTC
We can skip here because 1.8.6 is stable[1]. Adding glsa vote request.


[1]: See bug 379693
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2011-09-11 02:50:28 UTC
Thanks, folks. GLSA Vote: yes.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2011-10-07 22:07:53 UTC
CVE-2011-2904 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2904):
  Cross-site scripting (XSS) vulnerability in acknow.php in Zabbix before
  1.8.6 allows remote attackers to inject arbitrary web script or HTML via the
  backurl parameter.
Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-07 22:08:50 UTC
Yes for both.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2011-10-07 23:21:13 UTC
CVE-2011-3263 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3263):
  zabbix_agentd in Zabbix before 1.8.6 and 1.9.x before 1.9.4 allows
  context-dependent attackers to cause a denial of service (CPU consumption)
  by executing the vfs.file.cksum command for a special device, as
  demonstrated by the /dev/urandom device.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2011-10-07 23:21:13 UTC
CVE-2011-3263 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3263):
  zabbix_agentd in Zabbix before 1.8.6 and 1.9.x before 1.9.4 allows
  context-dependent attackers to cause a denial of service (CPU consumption)
  by executing the vfs.file.cksum command for a special device, as
  demonstrated by the /dev/urandom device.
Comment 11 Matthew Marlowe gentoo-dev 2012-01-05 11:16:38 UTC
Security team - do you want to close this bug? 1.8.7 was stabilized fully a few months ago and we're already on to stabilizing 1.8.10.
Comment 12 Sean Amoss gentoo-dev Security 2012-01-05 12:33:12 UTC
Matthew, this still needs a GLSA issued. We will include this bug with the GLSA for the others, once 1.8.10-r1 is stable.
Comment 13 Matthew Marlowe gentoo-dev 2012-03-20 12:23:48 UTC
Was glsa ever issued? can we close? 1.8.10-r1 was marked stable quite awhile ago.
Comment 14 Matthew Marlowe gentoo-dev 2012-06-20 20:09:59 UTC
Note this is an ancient open security bug.....impacted ebuilds were removed from tree quite awhile ago...and the last request for 1.8.10-r1 to go stable was met and obsoleted via newer stable ebuild.  I would appreciate if security herd could close bug when convenient.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2013-11-25 17:53:44 UTC
This issue was resolved and addressed in
 GLSA 201311-15 at http://security.gentoo.org/glsa/glsa-201311-15.xml
by GLSA coordinator Sergey Popov (pinkbyte).