From $URL : A security flaw was found in the way Zabbix, an open-source monitoring solution for IT infrastructure, used (lib)cURL's CURLOPT_SSL_VERIFYHOST variable, when doing certificate validation (value of '1' meaning only check for the existence of a common name was used instead of value '2' - which also checks if the particular common name matches the requested hostname of the server). A rogue service could use this flaw to conduct man-in-the-middle (MiTM) attacks. Upstream bug report: [1] https://support.zabbix.com/browse/ZBX-5924 References: [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697443 [3] http://www.openwall.com/lists/oss-security/2013/01/02/1 [4] http://www.openwall.com/lists/oss-security/2013/01/03/1
I've commented on the upstream bug report and hopefully they'll have this fixed soon. Have to wait on them.
Commented on upstream bug again, if no response soon will update ebuild to require earlier versions of curl.
zabbix-2.0.6-r5 which was just committed to cvs places restrictions on curl version dependencies, this will be a stopgap measure until upstream fixes ZBX-5924.
resolved in version 2.0.8 [https://support.zabbix.com/browse/ZBX-5924]
All zabbix versions prior to 2.0.8 have been removed. Curl issues should be resolved. Closing.
GLSA vote: no.
GLSA vote: no Closing as noglsa
CVE-2012-6086 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6086): libs/zbxmedia/eztexting.c in Zabbix 1.8.x before 1.8.18rc1, 2.0.x before 2.0.8rc1, and 2.1.x before 2.1.2 does not properly set the CURLOPT_SSL_VERIFYHOST option for libcurl, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
