534606 – (CVE-2014-9450) <net-analyzer/zabbix-2.2.8: Multiple SQL injection vulnerabilities (CVE-2014-9450)

Bug 534606 (CVE-2014-9450) - <net-analyzer/zabbix-2.2.8: Multiple SQL injection vulnerabilities (CVE-2014-9450)

Summary: <net-analyzer/zabbix-2.2.8: Multiple SQL injection vulnerabilities (CVE-2014-...

Status:	RESOLVED FIXED

Alias:	CVE-2014-9450

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2015-01-04 13:15 UTC by GLSAMaker/CVETool Bot
Modified:	2016-12-06 14:54 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2015-01-04 13:15:22 UTC

CVE-2014-9450 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9450):
  Multiple SQL injection vulnerabilities in chart_bar.php in the frontend in
  Zabbix before 1.8.22, 2.0.x before 2.0.14, and 2.2.x before 2.2.8 allow
  remote attackers to execute arbitrary SQL commands via the (1) itemid or (2)
  periods parameter.

Comment 1 cyberbat 2015-01-27 23:33:06 UTC

I'm sorry, but we still have no fixed version in portage. I'm even not talking about stabilization of it.

Comment 2 Matthew Marlowe (RETIRED) gentoo-dev

2015-01-28 22:35:36 UTC

I'll have updated zabbix ebuilds out soon...apologies for delay, my home workstation has been going through a rebuild process over the last month which has kept me from performing the normal gentoo stuff...dev system switched from a 2006ish board with a single old dual core pentium cpu with 8gb ram to a 12 core modern zeon with 64gb ram.

Comment 3 Marc Schiffbauer gentoo-dev

2015-04-30 07:46:02 UTC

What is the progress here? As I see it we have several versions in tree that suffer from that CVE, here IMO 2.2.8 must be stabilized quickly.

Please act.

Comment 4 Matthew Marlowe (RETIRED) gentoo-dev

2015-05-06 21:49:47 UTC

2.2.9 and 2.4.5 are in now in tree.  
2.0.14 remains for users of a legacy release that can not upgrade.
2.2.5 also remains as it is the current stable.

Other users are reporting that 2.4.5 works well for them, there are very few bug reports for the 2.4.x set of releases, and this is where upstream is putting most of their effort, so unless there are new bug reports...in a week or two,I'll recommend that we mark 2.4.5 as the new stable and remove the old 2.2.5 stable.  We'll keep 2.2.9 with unstable keywords around for those who either do not or can not upgrade to 2.4.x

Comment 5 Opportunist 2015-05-16 15:00:58 UTC

2.4.5 works great for me on AMD64, thanks.

Comment 6 Robert Förster 2016-05-08 14:28:44 UTC

so whats the uphold here? actually, i would aim for a 2.2 branch stabilization here since 2.4 has a shorter support cycle upstream and I'd like to prevent unneeded upgrades.

yes im not the maintainer but I'd aim for it, i just would love to see this fixed first since a fixed version is in the tree for a while (2.2.9 or 2.2.11)

Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev

2016-12-03 13:51:51 UTC

First fixed version which appeared in Gentoo repository was  https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-analyzer/zabbix/zabbix-2.2.8.ebuild?hideattic=0&view=log

All done: Current stable version in repository is =net-analyzer/zabbix-2.2.15; no vulnerable version left.


@ Security: Please vote (could be added to an existing GLSA)!

Comment 8 Aaron Bauman (RETIRED) gentoo-dev

2016-12-06 14:54:46 UTC

GLSA Vote: No