CVE-2014-9450 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9450): Multiple SQL injection vulnerabilities in chart_bar.php in the frontend in Zabbix before 1.8.22, 2.0.x before 2.0.14, and 2.2.x before 2.2.8 allow remote attackers to execute arbitrary SQL commands via the (1) itemid or (2) periods parameter.
I'm sorry, but we still have no fixed version in portage. I'm even not talking about stabilization of it.
I'll have updated zabbix ebuilds out soon...apologies for delay, my home workstation has been going through a rebuild process over the last month which has kept me from performing the normal gentoo stuff...dev system switched from a 2006ish board with a single old dual core pentium cpu with 8gb ram to a 12 core modern zeon with 64gb ram.
What is the progress here? As I see it we have several versions in tree that suffer from that CVE, here IMO 2.2.8 must be stabilized quickly. Please act.
2.2.9 and 2.4.5 are in now in tree. 2.0.14 remains for users of a legacy release that can not upgrade. 2.2.5 also remains as it is the current stable. Other users are reporting that 2.4.5 works well for them, there are very few bug reports for the 2.4.x set of releases, and this is where upstream is putting most of their effort, so unless there are new bug reports...in a week or two,I'll recommend that we mark 2.4.5 as the new stable and remove the old 2.2.5 stable. We'll keep 2.2.9 with unstable keywords around for those who either do not or can not upgrade to 2.4.x
2.4.5 works great for me on AMD64, thanks.
so whats the uphold here? actually, i would aim for a 2.2 branch stabilization here since 2.4 has a shorter support cycle upstream and I'd like to prevent unneeded upgrades. yes im not the maintainer but I'd aim for it, i just would love to see this fixed first since a fixed version is in the tree for a while (2.2.9 or 2.2.11)
First fixed version which appeared in Gentoo repository was https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-analyzer/zabbix/zabbix-2.2.8.ebuild?hideattic=0&view=log All done: Current stable version in repository is =net-analyzer/zabbix-2.2.15; no vulnerable version left. @ Security: Please vote (could be added to an existing GLSA)!
GLSA Vote: No