1) Input passed to "host groups" names is not properly sanitised before being used. This can be exploited to insert HTML and script code, which will be executed in a user's browser session in context of an affected site if malicious data is viewed. Successful exploitation of this vulnerability requires access rights to modify "host group" names. 2) Certain unspecified input to the profiler is not properly sanitised before being used. This can be exploited to insert HTML and script code, which will be executed in a user's browser session in context of an affected site if malicious data is viewed. Solution:Fixed in version 1.8.10rc Original Advisory: http://www.zabbix.com/rn1.8.10rc1.php https://support.zabbix.com/browse/ZBX-4015
I'll have an ebuild for 1.8.10rc1 in the tree shortly. I'm a little leery of stabilizing it because it's a release candidate and not a release yet -- I'm not sure how much zabbix sa has tested it, but the changelog shows nothing except for bugfixes so I wouldn't expect any issues.
Thank You Matthew
1.8.10rc1 in tree with testing keywords: ~amd64, ~x86. Releases equal or less than 1.8.6 were removed and 1.8.7 -> 1.8.9 retained.
(In reply to comment #3) > 1.8.10rc1 in tree with testing keywords: ~amd64, ~x86. > Releases equal or less than 1.8.6 were removed and 1.8.7 -> 1.8.9 retained. Thanks, Matthew. Do you have an idea when 1.8.10 will be released?
1.8 release candidates usually get followed by real releases within a week or two, or worst case a follow-up candidate. In general, zabbix is pushing out new releases for 1.8 roughly once/month. So, I'd think we'd see 1.8.10 no later than the first week of January, and possibly next week, but I haven't spoken to the dev team and I'd doubt they'd give us any commitment even if we asked. The zabbix guys are pretty good about following the "it will be done when its done" dev model.
Ok, thanks. I think it makes sense to wait a little while for a full release. I'd rather not wait too long though.
+*zabbix-1.8.10 (30 Dec 2011) + + 30 Dec 2011; Lars Wendler <polynomial-c@gentoo.org> + -zabbix-1.8.10_rc1.ebuild, +zabbix-1.8.10.ebuild: + non-maintainer commit: Version bump (with kind permission from bonsaikitten). + Removed old. This fixes bug #395975 and should help solving bug #396495. +
Unless I am mistaken, this too is a XSS vulnerability. Rerating B4, and closing noglsa. Please reopen if you disagree. Thanks!
CVE-2011-4615 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4615): Multiple cross-site scripting (XSS) vulnerabilities in Zabbix before 1.8.10 allow remote attackers to inject arbitrary web script or HTML via the gname parameter (aka host groups name) to (1) hostgroups.php and (2) usergrps.php, the update action to (3) hosts.php and (4) scripts.php, and (5) maintenance.php.
Now that we've had enough time using 1.8.10, and for nearly everyone to migrate, I've removed any of the older ebuilds that might be impacted by vulnerabilities. 1.8.10-r1 is the only ebuild for the 1.8.x tree now.
