Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 452878 (CVE-2013-1364) - <net-analyzer/zabbix-{1.8.16,2.0.4-r1}: ldap vulnerabilities ZBX-6097 (CVE-2013-1364)
Summary: <net-analyzer/zabbix-{1.8.16,2.0.4-r1}: ldap vulnerabilities ZBX-6097 (CVE-20...
Status: RESOLVED FIXED
Alias: CVE-2013-1364
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://support.zabbix.com/browse/ZBX...
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-01-18 22:52 UTC by Matthew Marlowe
Modified: 2013-12-27 00:21 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthew Marlowe gentoo-dev 2013-01-18 22:52:39 UTC
Recent zabbix versions prior to 1.8.16 and all 2.0.x releases are susceptible to a significant ldap authentication vulnerability:

https://support.zabbix.com/browse/ZBX-6097

I was contacted by upstream and advised that patches and fixes were on the way.

I've already bumped and committed 1.8.16 with ~amd64/~x86 keywords.  In a few days, I will remove 1.8.15 and prior ebuilds.

I've also put out a patched 2.0.4 as 2.0.4-r1 ebuild, this has no keywords yet as I am testing it.  If tests go well, I'll put it ~amd64/~x86 and it will eventually become our new latest stable.  1.8.16 is being kept solely for those who can not upgrade to 2.0.x for their own reasons.

Fedora has already released their own package updates - but I haven't seen any other distribution security announcements for this CVE.
Comment 1 Sean Amoss (RETIRED) gentoo-dev Security 2013-01-27 16:20:53 UTC
Thanks for the report, Matthew.

Are one of these versions ready for stabilization?
Comment 2 Matthew Marlowe gentoo-dev 2013-01-27 19:39:02 UTC
2.0.4-r1 was keyworded for testing a few days ago...I have been waiting on any bug reports and have yet to receive any....Assuming no problems, it should become the new stable.
Comment 3 Matthew Marlowe gentoo-dev 2013-02-11 01:56:24 UTC
Let's go ahead and stabilize 2.0.4-r1 now then....I haven't received any new bug reports for it since it was put in ~amd64/~x86 weeks ago. We'll leave 1.8.16 in testing and eventually remove 1.8.15
Comment 4 Agostino Sarubbo gentoo-dev 2013-02-11 21:29:40 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-02-11 21:31:11 UTC
x86 stable
Comment 6 Sean Amoss (RETIRED) gentoo-dev Security 2013-02-24 13:22:23 UTC
GLSA vote: yes.
Comment 7 Sean Amoss (RETIRED) gentoo-dev Security 2013-10-10 17:18:56 UTC
Added to existing GLSA draft.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2013-11-25 17:53:52 UTC
This issue was resolved and addressed in
 GLSA 201311-15 at http://security.gentoo.org/glsa/glsa-201311-15.xml
by GLSA coordinator Sergey Popov (pinkbyte).
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2013-12-27 00:21:28 UTC
CVE-2013-1364 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1364):
  The user.login function in Zabbix before 1.8.16 and 2.x before 2.0.5rc1
  allows remote attackers to override LDAP configuration via the cnf
  parameter.