Bug 13628

Summary:	zabbix new security issue CVE-2014-3005
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	major
Priority:	Normal	CC:	ottoleipala1, rverschelde, sysadmin-bugs
Version:	4	Keywords:	validated_update
Target Milestone:	---
Hardware:	i586
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/603976/
Whiteboard:	MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-64-OK MGA3-32-OK advisory
Source RPM:	zabbix-2.0.11-1.mga4.src.rpm	CVE:
Status comment:

Description David Walser 2014-06-30 23:29:37 CEST

Fedora has issued an advisory on June 21:
https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134885.html

According to the upstream bug report, it'll be fixed in 2.0.13:
https://support.zabbix.com/browse/ZBX-8151

Fedora also has a patch:
http://pkgs.fedoraproject.org/cgit/zabbix.git/plain/zabbix-2.0.12-zbx8151.patch?h=f20&id=205ba2b6c95e31fdea8c04d110e418b23559e044

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:

David Walser 2014-06-30 23:29:45 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-10-26 16:55:06 CET

Upstream has released Zabbix 2.0.13 on September 10:
http://www.zabbix.com/rn2.0.13.php

Freeze push requested for Cauldron.

Updated packages uploaded for Mageia 3 and Mageia 4.

Advisory:
========================

Updated zabbix package fixes security vulnerability:

It was reported that the Zabbix frontend supported an XML data import feature,
where on the server it used DOMDocument to parse the XML.  By default,
DOMDocument also parses the external DTD, which could allow a remote attacker
to use a crafted XML file causing Zabbix to read an arbitrary local file, and
send the contents of the specified file to a remote server (CVE-2014-3005).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3005
https://support.zabbix.com/browse/ZBX-8151
http://www.zabbix.com/rn2.0.12.php
http://www.zabbix.com/rn2.0.13.php
https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134885.html
========================

Updated packages in core/updates_testing:
========================
zabbix-server-2.0.13-1.mga3
zabbix-server-mysql-2.0.13-1.mga3
zabbix-server-pgsql-2.0.13-1.mga3
zabbix-server-sqlite-2.0.13-1.mga3
zabbix-proxy-2.0.13-1.mga3
zabbix-proxy-mysql-2.0.13-1.mga3
zabbix-proxy-pgsql-2.0.13-1.mga3
zabbix-proxy-sqlite-2.0.13-1.mga3
zabbix-java-2.0.13-1.mga3
zabbix-agent-2.0.13-1.mga3
zabbix-web-2.0.13-1.mga3
zabbix-server-2.0.13-1.mga4
zabbix-server-mysql-2.0.13-1.mga4
zabbix-server-pgsql-2.0.13-1.mga4
zabbix-server-sqlite-2.0.13-1.mga4
zabbix-proxy-2.0.13-1.mga4
zabbix-proxy-mysql-2.0.13-1.mga4
zabbix-proxy-pgsql-2.0.13-1.mga4
zabbix-proxy-sqlite-2.0.13-1.mga4
zabbix-java-2.0.13-1.mga4
zabbix-agent-2.0.13-1.mga4
zabbix-web-2.0.13-1.mga4

from SRPMS:
zabbix-2.0.13-1.mga3.src.rpm
zabbix-2.0.13-1.mga4.src.rpm

Version: Cauldron => 4
Assignee: mitya => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 2 David Walser 2014-10-26 16:55:20 CET

Testing Procedure:
https://bugs.mageia.org/show_bug.cgi?id=11868#c7 onwards

David Walser 2014-10-26 18:19:45 CET

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 3 Otto Leipälä 2014-10-29 07:23:30 CET

Testing is finished and all working no problems.
Update validated sysadmins push this to updates.

Keywords: (none) => validated_update
CC: (none) => ozkyster, sysadmin-bugs
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-64-OK MGA3-32-OK

Comment 4 Rémi Verschelde 2014-10-29 09:51:39 CET

Advisory uploaded.

CC: (none) => remi
Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-64-OK MGA3-32-OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-64-OK MGA3-32-OK advisory

Comment 5 Mageia Robot 2014-10-29 12:31:22 CET

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0433.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED