Recent zabbix versions prior to 1.8.16 and all 2.0.x releases are susceptible to a significant ldap authentication vulnerability:
I was contacted by upstream and advised that patches and fixes were on the way.
I've already bumped and committed 1.8.16 with ~amd64/~x86 keywords. In a few days, I will remove 1.8.15 and prior ebuilds.
I've also put out a patched 2.0.4 as 2.0.4-r1 ebuild, this has no keywords yet as I am testing it. If tests go well, I'll put it ~amd64/~x86 and it will eventually become our new latest stable. 1.8.16 is being kept solely for those who can not upgrade to 2.0.x for their own reasons.
Fedora has already released their own package updates - but I haven't seen any other distribution security announcements for this CVE.
Thanks for the report, Matthew.
Are one of these versions ready for stabilization?
2.0.4-r1 was keyworded for testing a few days ago...I have been waiting on any bug reports and have yet to receive any....Assuming no problems, it should become the new stable.
Let's go ahead and stabilize 2.0.4-r1 now then....I haven't received any new bug reports for it since it was put in ~amd64/~x86 weeks ago. We'll leave 1.8.16 in testing and eventually remove 1.8.15
GLSA vote: yes.
Added to existing GLSA draft.
This issue was resolved and addressed in
GLSA 201311-15 at http://security.gentoo.org/glsa/glsa-201311-15.xml
by GLSA coordinator Sergey Popov (pinkbyte).
The user.login function in Zabbix before 1.8.16 and 2.x before 2.0.5rc1
allows remote attackers to override LDAP configuration via the cnf