Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 637028 (CVE-2016-10134, CVE-2017-2824) - =net-analyzer/zabbix-3.4.4 version bump
Summary: =net-analyzer/zabbix-3.4.4 version bump
Alias: CVE-2016-10134, CVE-2017-2824
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: ~2 [noglsa cve]
Depends on:
Reported: 2017-11-10 07:11 UTC by Opportunist
Modified: 2018-12-02 21:18 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Opportunist 2017-11-10 07:11:28 UTC
:: New Features and Improvements

    [ZBXNEXT-1421] added service sorting by name if multiple services has same 'sortorder' value
    [ZBXNEXT-3493] added Windows service configuration check to determine if service can be trigger started
    [ZBXNEXT-4019] implemented default widget refresh interval
    [ZBXNEXT-4081] improved error message for case when none of supported database modules exists

:: Bug Fixes

    [DEV-593] fixed multiple security issues
    [ZBX-12874] fixed target list to be meaningless if custom set of commands is executed on zabbix server
    [ZBX-12936] fixed update proxy lastaccess value when receiving data
    [ZBX-12854] fixed crash of VMware collector with DebugLevel=4
    [ZBX-12903] added floating value range validation for metrics calculated by server
    [ZBX-12904] added validation for groupid and hostid parameters in dashboard view
    [ZBX-12837] fixed error in action update when changing media type
    [ZBX-11902] fixed CPU count for LPAR partitions in IBM AIX
    [ZBX-12778] fixed problem.get and event.get API methods when "selectTags" option contains extended output
    [ZBX-12260] fixed windows agent to support UTF-16LE, UCS-2, UCS-2LE encodings
    [ZBX-12853] fixed last access not being updated for passive proxies after getting historical data
    [ZBX-6669] fixed use of current host as filter when selecting items for graph forms and trigger forms
    [ZBX-12722] fixed scrollbar causing a JS error in "500 latest values" page due to unnecessarily initialization
    [ZBX-12860] fixed problem counting in host groups in navigation tree widget
    [ZBX-12710] fixed OS type detection logic
    [ZBX-12543] fixed problems with session management
    [ZBX-12670] fixed {HOST.*} macro support in map trigger elements
    [ZBX-12784] fixed advanced label support in map editing mode
    [ZBX-12666] fixed ETag comparison check in jsLoader for web server with enabled compression
    [ZBX-12775] fixed undefined index error in dashboard problems widget
    [ZBX-12857] improved pre-processing manager performance when processing large number of values
    [ZBX-12259] added an informative warning about lack of data for macros used in LLD rule filter
Comment 1 Patrick Lauer gentoo-dev 2017-11-10 12:05:11 UTC

[DEV-593] fixed multiple security issues

this might require stabling new versions, CCing security@
Comment 2 Opportunist 2017-11-10 12:09:39 UTC
thank you!
Comment 3 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-10 14:44:23 UTC
Vulnerability Details : CVE-2017-2824

An exploitable code execution vulnerability exists in the trapper command functionality of Zabbix Server 2.4.X. A specially crafted set of packets can cause a command injection resulting in remote code execution. An attacker can make requests from an active Zabbix Proxy to trigger this vulnerability.	
Publish Date : 2017-05-24	Last Update Date : 2017-11-05

Vulnerability Details : CVE-2016-10134

SQL injection vulnerability in Zabbix before 2.2.14 and 3.0 before 3.0.4 allows remote attackers to execute arbitrary SQL commands via the toggle_ids array parameter in latest.php.	
Publish Date : 2017-02-16	Last Update Date : 2017-11-03

@Maintainers I'm adding two CVEs to the list, but those are not affecting Gentoo, if you find any that affects a current stable version please let us know. 

Thank you