Mageia Bugzilla – Bug 11868
zabbix new security issue CVE-2013-6824
Last modified: 2014-01-21 20:48:40 CET
Upstream has announced version 2.0.10rc1 which fixes a security issue on Dec 3:
Mageia 3 is also affected.
Steps to Reproduce:
There were also SQL injection and XSS issues fixed in 2.0.9rc1:
Zabbix 2.0.10 is out, which fixes this:
Fedora has issued an advisory for this on December 5:
Updated zabbix packages fixes security vulnerability:
This update multiples vulnerabilities.
- Fix vulnerability for remote command execution injection
- Fix SQL injection vulnerability (ZBX-7091, CVE-2013-5743)
- Fix XSS issues (ZBX-6952)
Updated packages in core/updates_testing:
Freeze push asked for mga4
Just making a minor adjustment to the references.
zabbix-2.0.10-2.mga4 uploaded for Cauldron.
Working on this, it's far from being user friendly.
After install, created a mysql database zabbix, with user & password both zabbix.
Set these details in /etc/zabbix/zabbix_server.conf.
Imported the database schema, images and data..
# cd /usr/share/zabbix/schema/database/mysql
# mysql -p -u zabbix zabbix < schema.sql
# mysql -p -u zabbix zabbix < images.sql
# mysql -p -u zabbix zabbix < data.sql
Started zabbix-server service then browsed to http://localhost/zabbix and configured the database. When complete the default administrative login in Admin/zabbix.
It's currently complaining that zabbix server is not running so i'll have to look into this more later.
There is also a directory for database upgrades, so this seems quite a manual package to use.
There is no mention of any of this in any readme or readme.urpmi so fumbling in the dark somewhat, but the zabbix wiki has useful info for redhat/debian which is guidance at least, even if not completely accurate for Mageia.
I aggree it is far from easy but I managed to run zabbix-server, zabbix-agent, zabbix-web with sqlite under mga3 x86_64
but I had to do a lot of manual configuration with the help of your link.
may be you need to restart "systemctl stop zabbix-server","systemctl start zabbix-server" zabbix-server ?
this package would need some improvement ...
I think the problem is that zabbix-server is actually 3 builds, one for each database type. zabbix-server package itself creates a symlink through alternatives.
# alternatives --config zabbix-server
Once I discovered this (by removing the others) then zabbix-server starts as it should. Previously, although it was set to use mysql in /etc/zabbix/zabbix_server.conf it was actually starting the pgsql version.
zabbix-server now shows as running in the web interface \o/
Testing the update next in mga3 64
Testing complete mga3 64
Verified the service could be restarted after upgrade and the web interface still worked and produced data, and warnings about low disk space :)
After installing zabbix-agent on a remote computer and configuring /etc/zabbix/zabbix-agentd.conf with correct host and ip information then starting zabbix-agent service it could then be configured as a host in 'zabbix server' group with a template added on the server web interface and showed as connected (green Z).
Setting the 'OS Linux Server' template against the remote computer collects lots of data on cpu load, memory, time etc
Also note that the mysql.sock path of the server should also be altered in /etc/zabbix/zabbix_server.conf if using mysql as it is currently commented but set to /tmp/mysql.sock by default. It should be /var/lib/mysql/mysql.sock.
Testing complete mga3 32
Advisory uploaded. Validating.
Could sysadmin please push from 3 core/updates_testing to updates
LWN reference for CVE-2013-5743: