From ${URL} : It was reported [1],[2] that the Zabbix frontend supported an XML data import feature, where on the server it used DOMDocument to parse the XML. By default, DOMDocument also parses the external DTD, which could allow a remote attacker to use a crafted XML file causing Zabbix to read an arbitrary local file, and send the contents of the specified file to a remote server. This is fixed upstream via: * svn://svn.zabbix.com/branches/dev/ZBX-8151-18 r46594 for 1.8 * svn://svn.zabbix.com/branches/dev/ZBX-8151-20 r46600 for 2.0+ [1] https://support.zabbix.com/browse/ZBX-8151 [2] http://www.pnigos.com/?p=273 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
newer ebuilds with security patches in tree: zabbix-2.2.4 zabbix-2.0.12-r1
Maintainers, please advise when eBuilds have had enough testing, and are ready for stabilization.
Zabbix 2.2.5 has had enough testing and should become the new stable. Bug #516840 is stable request.
Arches, Thank you for your work Maintainer(s), please drop the vulnerable version. GLSA Vote: Yes
Older ebuilds removed from CVS.
(In reply to Yury German from comment #4) > GLSA Vote: Yes Revising: GLSA Vote: No Thank you all. Closing as noglsa.