Bug 11868

Summary:	zabbix new security issue CVE-2013-6824
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	major
Priority:	Normal	CC:	makowski.mageia, mitya, sysadmin-bugs, tmb
Version:	3	Keywords:	validated_update
Target Milestone:	---
Hardware:	i586
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/576919/
Whiteboard:	has_procedure advisory mga3-64-ok mga3-32-ok
Source RPM:	zabbix-2.0.9-2.mga4.src.rpm	CVE:
Status comment:

Description David Walser 2013-12-04 02:52:21 CET

Upstream has announced version 2.0.10rc1 which fixes a security issue on Dec 3:
http://www.zabbix.com/rn2.0.10rc1.php

Mageia 3 is also affected.

Reproducible: 

Steps to Reproduce:

David Walser 2013-12-04 02:52:30 CET

Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2013-12-05 21:38:34 CET

There were also SQL injection and XSS issues fixed in 2.0.9rc1:
https://support.zabbix.com/browse/ZBX-7091
https://support.zabbix.com/browse/ZBX-6952
http://www.zabbix.com/rn2.0.9rc1.php

Comment 2 David Walser 2013-12-10 02:46:50 CET

Zabbix 2.0.10 is out, which fixes this:
http://www.zabbix.com/rn2.0.10.php

Dave Hodgins 2013-12-12 22:36:35 CET

Blocks: (none) => 11726

Comment 3 David Walser 2013-12-13 17:26:55 CET

Fedora has issued an advisory for this on December 5:
https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123446.html

URL: (none) => http://lwn.net/Vulnerabilities/576919/

Comment 4 Philippe Makowski 2014-01-08 23:23:24 CET

Advisory:
========================

Updated zabbix packages fixes security vulnerability:

This update multiples vulnerabilities.

- Fix vulnerability for remote command execution injection
  (ZBX-7479, CVE-2013-6824)
- Fix SQL injection vulnerability (ZBX-7091, CVE-2013-5743)
- Fix XSS issues (ZBX-6952)

References:
http://lwn.net/Vulnerabilities/576919/
https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123446.html
https://support.zabbix.com/browse/ZBX-7479
https://support.zabbix.com/browse/ZBX-7091
https://support.zabbix.com/browse/ZBX-6952
http://www.zabbix.com/rn2.0.9rc1.php
========================

Updated packages in core/updates_testing:
========================
zabbix-server-2.0.10-1.mga3
zabbix-proxy-mysql-2.0.10-1.mga3
zabbix-web-2.0.10-1.mga3
zabbix-proxy-pgsql-2.0.10-1.mga3
zabbix-proxy-2.0.10-1.mga3
zabbix-proxy-sqlite-2.0.10-1.mga3
zabbix-server-sqlite-2.0.10-1.mga3
zabbix-agent-2.0.10-1.mga3
zabbix-server-mysql-2.0.10-1.mga3
zabbix-debuginfo-2.0.10-1.mga3
zabbix-java-2.0.10-1.mga3
zabbix-server-pgsql-2.0.10-1.mga3

from zabbix-2.0.10-1.mga3.src



Freeze push asked for mga4

CC: (none) => makowski.mageia

Philippe Makowski 2014-01-08 23:24:11 CET

Version: Cauldron => 3
Assignee: mitya => qa-bugs
Whiteboard: MGA3TOO => (none)

Comment 5 David Walser 2014-01-08 23:29:50 CET

Thanks Philippe!

Just making a minor adjustment to the references.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5743
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6824
https://support.zabbix.com/browse/ZBX-7479
https://support.zabbix.com/browse/ZBX-7091
https://support.zabbix.com/browse/ZBX-6952
http://www.zabbix.com/rn2.0.9.php
http://www.zabbix.com/rn2.0.10.php
https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123446.html

CC: (none) => mitya

Comment 6 David Walser 2014-01-09 16:08:04 CET

zabbix-2.0.10-2.mga4 uploaded for Cauldron.

Blocks: 11726 => (none)

David Walser 2014-01-09 21:34:53 CET

Severity: normal => major

Comment 7 claire robinson 2014-01-20 20:07:20 CET

Working on this, it's far from being user friendly.

After install, created a mysql database zabbix, with user & password both zabbix.

Set these details in /etc/zabbix/zabbix_server.conf.

Imported the database schema, images and data..

# cd /usr/share/zabbix/schema/database/mysql

# mysql -p -u zabbix zabbix < schema.sql 
Enter password:
# mysql -p -u zabbix zabbix < images.sql 
Enter password: 
# mysql -p -u zabbix zabbix < data.sql 
Enter password: 

Started zabbix-server service then browsed to http://localhost/zabbix and configured the database. When complete the default administrative login in Admin/zabbix.

It's currently complaining that zabbix server is not running so i'll have to look into this more later.

There is also a directory for database upgrades, so this seems quite a manual package to use.

Comment 8 claire robinson 2014-01-20 20:09:59 CET

There is no mention of any of this in any readme or readme.urpmi so fumbling in the dark somewhat, but the zabbix wiki has useful info for redhat/debian which is guidance at least, even if not completely accurate for Mageia.

https://www.zabbix.com/documentation/2.0/manual/installation/install_from_packages

Comment 9 Philippe Makowski 2014-01-20 21:17:09 CET

I aggree it is far from easy but I managed to run zabbix-server, zabbix-agent, zabbix-web with sqlite under mga3 x86_64
but I had to do a lot of manual configuration with the help of your link.

may be you need to restart "systemctl stop zabbix-server","systemctl start zabbix-server" zabbix-server ?



this package would need some improvement ...

Comment 10 claire robinson 2014-01-21 10:47:34 CET

I think the problem is that zabbix-server is actually 3 builds, one for each database type. zabbix-server package itself creates a symlink through alternatives.

# alternatives --config zabbix-server

Once I discovered this (by removing the others) then zabbix-server starts as it should. Previously, although it was set to use mysql in /etc/zabbix/zabbix_server.conf it was actually starting the pgsql version.

zabbix-server now shows as running in the web interface \o/

Testing the update next in mga3 64

Comment 11 claire robinson 2014-01-21 11:38:27 CET

Testing complete mga3 64

Verified the service could be restarted after upgrade and the web interface still worked and produced data, and warnings about low disk space :)

After installing zabbix-agent on a remote computer and configuring /etc/zabbix/zabbix-agentd.conf with correct host and ip information then starting zabbix-agent service it could then be configured as a host in 'zabbix server' group with a template added on the server web interface and showed as connected (green Z).

Whiteboard: (none) => has_procedure mga3-64-ok

Comment 12 claire robinson 2014-01-21 11:46:22 CET

Setting the 'OS Linux Server' template against the remote computer collects lots of data on cpu load, memory, time etc

Comment 13 claire robinson 2014-01-21 12:10:45 CET

Also note that the mysql.sock path of the server should also be altered in /etc/zabbix/zabbix_server.conf if using mysql as it is currently commented but set to /tmp/mysql.sock by default. It should be /var/lib/mysql/mysql.sock.

Testing complete mga3 32

claire robinson 2014-01-21 12:11:04 CET

Whiteboard: has_procedure mga3-64-ok => has_procedure mga3-64-ok mga3-32-ok

Comment 14 claire robinson 2014-01-21 12:25:11 CET

Advisory uploaded. Validating.

Could sysadmin please push from 3 core/updates_testing to updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure mga3-64-ok mga3-32-ok => has_procedure advisory mga3-64-ok mga3-32-ok
CC: (none) => sysadmin-bugs

Comment 15 Thomas Backlund 2014-01-21 17:35:56 CET

Update pushed:
http://advisories.mageia.org/MGASA-2014-0015.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 16 David Walser 2014-01-21 20:48:40 CET

LWN reference for CVE-2013-5743:
http://lwn.net/Vulnerabilities/581559/