Bug 11868 - zabbix new security issue CVE-2013-6824
Summary: zabbix new security issue CVE-2013-6824
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/576919/
Whiteboard: has_procedure advisory mga3-64-ok mga...
Keywords: validated_update
Depends on:
Reported: 2013-12-04 02:52 CET by David Walser
Modified: 2014-01-21 20:48 CET (History)
4 users (show)

See Also:
Source RPM: zabbix-2.0.9-2.mga4.src.rpm
Status comment:


Description David Walser 2013-12-04 02:52:21 CET
Upstream has announced version 2.0.10rc1 which fixes a security issue on Dec 3:

Mageia 3 is also affected.


Steps to Reproduce:
David Walser 2013-12-04 02:52:30 CET

Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2013-12-05 21:38:34 CET
There were also SQL injection and XSS issues fixed in 2.0.9rc1:
Comment 2 David Walser 2013-12-10 02:46:50 CET
Zabbix 2.0.10 is out, which fixes this:
Dave Hodgins 2013-12-12 22:36:35 CET

Blocks: (none) => 11726

Comment 3 David Walser 2013-12-13 17:26:55 CET
Fedora has issued an advisory for this on December 5:

URL: (none) => http://lwn.net/Vulnerabilities/576919/

Comment 4 Philippe Makowski 2014-01-08 23:23:24 CET

Updated zabbix packages fixes security vulnerability:

This update multiples vulnerabilities.

- Fix vulnerability for remote command execution injection
  (ZBX-7479, CVE-2013-6824)
- Fix SQL injection vulnerability (ZBX-7091, CVE-2013-5743)
- Fix XSS issues (ZBX-6952)


Updated packages in core/updates_testing:

from zabbix-2.0.10-1.mga3.src

Freeze push asked for mga4

CC: (none) => makowski.mageia

Philippe Makowski 2014-01-08 23:24:11 CET

Version: Cauldron => 3
Assignee: mitya => qa-bugs
Whiteboard: MGA3TOO => (none)

Comment 6 David Walser 2014-01-09 16:08:04 CET
zabbix-2.0.10-2.mga4 uploaded for Cauldron.

Blocks: 11726 => (none)

David Walser 2014-01-09 21:34:53 CET

Severity: normal => major

Comment 7 claire robinson 2014-01-20 20:07:20 CET
Working on this, it's far from being user friendly.

After install, created a mysql database zabbix, with user & password both zabbix.

Set these details in /etc/zabbix/zabbix_server.conf.

Imported the database schema, images and data..

# cd /usr/share/zabbix/schema/database/mysql

# mysql -p -u zabbix zabbix < schema.sql 
Enter password:
# mysql -p -u zabbix zabbix < images.sql 
Enter password: 
# mysql -p -u zabbix zabbix < data.sql 
Enter password: 

Started zabbix-server service then browsed to http://localhost/zabbix and configured the database. When complete the default administrative login in Admin/zabbix.

It's currently complaining that zabbix server is not running so i'll have to look into this more later.

There is also a directory for database upgrades, so this seems quite a manual package to use.
Comment 8 claire robinson 2014-01-20 20:09:59 CET
There is no mention of any of this in any readme or readme.urpmi so fumbling in the dark somewhat, but the zabbix wiki has useful info for redhat/debian which is guidance at least, even if not completely accurate for Mageia.

Comment 9 Philippe Makowski 2014-01-20 21:17:09 CET
I aggree it is far from easy but I managed to run zabbix-server, zabbix-agent, zabbix-web with sqlite under mga3 x86_64
but I had to do a lot of manual configuration with the help of your link.

may be you need to restart "systemctl stop zabbix-server","systemctl start zabbix-server" zabbix-server ?

this package would need some improvement ...
Comment 10 claire robinson 2014-01-21 10:47:34 CET
I think the problem is that zabbix-server is actually 3 builds, one for each database type. zabbix-server package itself creates a symlink through alternatives.

# alternatives --config zabbix-server

Once I discovered this (by removing the others) then zabbix-server starts as it should. Previously, although it was set to use mysql in /etc/zabbix/zabbix_server.conf it was actually starting the pgsql version.

zabbix-server now shows as running in the web interface \o/

Testing the update next in mga3 64
Comment 11 claire robinson 2014-01-21 11:38:27 CET
Testing complete mga3 64

Verified the service could be restarted after upgrade and the web interface still worked and produced data, and warnings about low disk space :)

After installing zabbix-agent on a remote computer and configuring /etc/zabbix/zabbix-agentd.conf with correct host and ip information then starting zabbix-agent service it could then be configured as a host in 'zabbix server' group with a template added on the server web interface and showed as connected (green Z).

Whiteboard: (none) => has_procedure mga3-64-ok

Comment 12 claire robinson 2014-01-21 11:46:22 CET
Setting the 'OS Linux Server' template against the remote computer collects lots of data on cpu load, memory, time etc
Comment 13 claire robinson 2014-01-21 12:10:45 CET
Also note that the mysql.sock path of the server should also be altered in /etc/zabbix/zabbix_server.conf if using mysql as it is currently commented but set to /tmp/mysql.sock by default. It should be /var/lib/mysql/mysql.sock.

Testing complete mga3 32
claire robinson 2014-01-21 12:11:04 CET

Whiteboard: has_procedure mga3-64-ok => has_procedure mga3-64-ok mga3-32-ok

Comment 14 claire robinson 2014-01-21 12:25:11 CET
Advisory uploaded. Validating.

Could sysadmin please push from 3 core/updates_testing to updates


Keywords: (none) => validated_update
Whiteboard: has_procedure mga3-64-ok mga3-32-ok => has_procedure advisory mga3-64-ok mga3-32-ok
CC: (none) => sysadmin-bugs

Comment 15 Thomas Backlund 2014-01-21 17:35:56 CET
Update pushed:

CC: (none) => tmb
Resolution: (none) => FIXED

Comment 16 David Walser 2014-01-21 20:48:40 CET
LWN reference for CVE-2013-5743:

Note You need to log in before you can comment on or make changes to this bug.