From ${URL} : Description A vulnerability has been reported in Zabbix, which can be exploited by malicious users to conduct spoofing attacks. The vulnerability is caused due to an error when handling the user.login call related to API permissions and can be exploited to impersonate any user by passing another username to the user.login request. Successful exploitation requires Zabbix to be configured with HTTP authentication. The vulnerability is reported in versions 1.8.19, 2.0.10, and 2.2.1. Other versions may also be affected. Solution: Fixed in the SVN repository. Provided and/or discovered by: Vitaly Shupak within a bug report. Original Advisory: Zabbix: http://www.zabbix.com/rn1.8.20rc1.php http://www.zabbix.com/rn2.0.11rc1.php http://www.zabbix.com/rn2.2.2rc1.php Vitaly Shupak: https://support.zabbix.com/browse/ZBX-7703 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Adding CVE's as Versions contain other vulnerability fixes: CVE-2013-5572 - Was fixed for 2.0 Slot, now fixed as part of 2.2.2rc2 as well. CVE-2014-1682 - Fixed for 2.0.11rc1 and 2.2.2rc1 CVE-2014-1685 - Fixed for 2.2.2rc2 Vulnerability Information: Zabbix being able to switch users without proper credentials when using HTTP authentication; reference CVE-2014-1682 https://support.zabbix.com/browse/ZBX-7703 LDAP authentication; reference CVE-2013-5572 https://support.zabbix.com/browse/ZBX-6721 admin user being able to update media for other users; reference CVE-2014-1685 https://support.zabbix.com/browse/ZBX-7693
In CVS, awaiting build on test box.
Let's stabilize 2.0.11_rc1-r1. 2.2.2_rc2-r1 can stay in testing but should be safe. Will clean out all older ebuilds once 2.0.11_rc1-r1 is stabilized.
Arches, please test and mark stable: =net-analyzer/zabbix-2.0.11_rc1-r1 Target Keywords : "amd64 x86" =net-analyzer/zabbix-2.2.2_rc2-r1 - Do Not Stable / Testing.
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
Old ebuilds cleaned up. Looks good.
GLSA vote: no.
GLSA vote: no Closing as noglsa