509898 – (CVE-2014-1685) <net-analyzer/zabbix-{2.0.12,2.2.3}: unauthorized modification of user media via Zabbix Admin users (CVE-2014-1685)

Bug 509898 (CVE-2014-1685) - <net-analyzer/zabbix-{2.0.12,2.2.3}: unauthorized modification of user media via Zabbix Admin users (CVE-2014-1685)

Summary: <net-analyzer/zabbix-{2.0.12,2.2.3}: unauthorized modification of user media ...

Status:	RESOLVED FIXED

Alias:	CVE-2014-1685

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B4 [noglsa/cleanup]
Keywords:

Depends on:
Blocks:

Reported:	2014-05-09 07:28 UTC by Agostino Sarubbo
Modified:	2014-06-26 04:01 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2014-05-09 07:28:41 UTC

CVE-2014-1685 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1685):
  The Frontend in Zabbix before 1.8.20rc2, 2.0.x before 2.0.11rc2, and 2.2.x 
  before 2.2.2rc1 allows remote "Zabbix Admin" users to modify the media 
  of arbitrary users via unspecified vectors.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Matthew Marlowe (RETIRED) gentoo-dev

2014-05-14 06:09:26 UTC

Zabbix 2.0.12 and 2.2.3 just added to CVS.  Will wait a few days to see if any bugs are opened before requesting stabilization and removing prior vulnerable stable builds.  Zabbix 1.8.x is no longer in the tree and hasn't been for awhile.

Comment 2 Matthew Marlowe (RETIRED) gentoo-dev

2014-06-06 01:45:28 UTC

I haven't seen any new bugs opened for the updated zabbix ebuilds over the last 2-3 weeks, so it is probably time to promote one of them to stable.

My preference is to stabilize 2.0.12.

Comment 3 Agostino Sarubbo gentoo-dev

2014-06-08 09:42:22 UTC

amd64 stable

Comment 4 Agostino Sarubbo gentoo-dev

2014-06-08 10:59:49 UTC

x86 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 5 Mikle Kolyada (RETIRED) archtester

2014-06-08 12:05:49 UTC

GLSA vote: no

Comment 6 Yury German Gentoo Infrastructure

2014-06-16 05:17:36 UTC

GLSA Vote: No

No GLSA needed 


Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version.

Comment 7 Matthew Marlowe (RETIRED) gentoo-dev

2014-06-25 20:45:23 UTC

cleanup complete.

Comment 8 Yury German Gentoo Infrastructure

2014-06-26 04:01:45 UTC

Maintainer(s), Thank you for cleanup!

No GLSA - Closing Bug as Resolved