Upstream forwarded the following to me this morning: https://support.zabbix.com/browse/ZBX-7479 I'll try to have updated ebuilds for all zabbix versions in tree later today. Vulnerability is public. We'll need to update stable. Sad about timing, we just sent out first zabbix glsa in awhile just last week.
Updated ebuilds in CVS - waiting to test after they reach rsync servers before requesting stabilization. Fixed versions: 2.0.9-r1 2.2.0-r4
Please advise when you are ready to go stable.
Let's go ahead and stabilize 2.0.9-r1 It compiles/installs here, haven't had much time to test it but we haven't had any new bugs reports for it or it's immediate predecessor which was in ~arch for several days. The other bumped ebuild 2.2.0-r1 also installed/compiled fine here, so I have no reason yet to think the upstream patch introduced any problems.
Arches, please test and mark stable: =net-analyzer/zabbix-2.0.9-r1 Target Keywords : "amd64 x86"
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Cleanup done.
CVE-2013-6824 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6824): Zabbix before 1.8.19rc1, 2.0 before 2.0.10rc1, and 2.2 before 2.2.1rc1 allows remote Zabbix servers and proxies to execute arbitrary commands via a newline in a flexible user parameter.
This issue was resolved and addressed in GLSA 201401-26 at http://security.gentoo.org/glsa/glsa-201401-26.xml by GLSA coordinator Sergey Popov (pinkbyte).