Upstream has announced version 2.0.10rc1 which fixes a security issue on Dec 3: http://www.zabbix.com/rn2.0.10rc1.php Mageia 3 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
There were also SQL injection and XSS issues fixed in 2.0.9rc1: https://support.zabbix.com/browse/ZBX-7091 https://support.zabbix.com/browse/ZBX-6952 http://www.zabbix.com/rn2.0.9rc1.php
Zabbix 2.0.10 is out, which fixes this: http://www.zabbix.com/rn2.0.10.php
Blocks: (none) => 11726
Fedora has issued an advisory for this on December 5: https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123446.html
URL: (none) => http://lwn.net/Vulnerabilities/576919/
Advisory: ======================== Updated zabbix packages fixes security vulnerability: This update multiples vulnerabilities. - Fix vulnerability for remote command execution injection (ZBX-7479, CVE-2013-6824) - Fix SQL injection vulnerability (ZBX-7091, CVE-2013-5743) - Fix XSS issues (ZBX-6952) References: http://lwn.net/Vulnerabilities/576919/ https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123446.html https://support.zabbix.com/browse/ZBX-7479 https://support.zabbix.com/browse/ZBX-7091 https://support.zabbix.com/browse/ZBX-6952 http://www.zabbix.com/rn2.0.9rc1.php ======================== Updated packages in core/updates_testing: ======================== zabbix-server-2.0.10-1.mga3 zabbix-proxy-mysql-2.0.10-1.mga3 zabbix-web-2.0.10-1.mga3 zabbix-proxy-pgsql-2.0.10-1.mga3 zabbix-proxy-2.0.10-1.mga3 zabbix-proxy-sqlite-2.0.10-1.mga3 zabbix-server-sqlite-2.0.10-1.mga3 zabbix-agent-2.0.10-1.mga3 zabbix-server-mysql-2.0.10-1.mga3 zabbix-debuginfo-2.0.10-1.mga3 zabbix-java-2.0.10-1.mga3 zabbix-server-pgsql-2.0.10-1.mga3 from zabbix-2.0.10-1.mga3.src Freeze push asked for mga4
CC: (none) => makowski.mageia
Version: Cauldron => 3Assignee: mitya => qa-bugsWhiteboard: MGA3TOO => (none)
Thanks Philippe! Just making a minor adjustment to the references. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5743 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6824 https://support.zabbix.com/browse/ZBX-7479 https://support.zabbix.com/browse/ZBX-7091 https://support.zabbix.com/browse/ZBX-6952 http://www.zabbix.com/rn2.0.9.php http://www.zabbix.com/rn2.0.10.php https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123446.html
CC: (none) => mitya
zabbix-2.0.10-2.mga4 uploaded for Cauldron.
Blocks: 11726 => (none)
Severity: normal => major
Working on this, it's far from being user friendly. After install, created a mysql database zabbix, with user & password both zabbix. Set these details in /etc/zabbix/zabbix_server.conf. Imported the database schema, images and data.. # cd /usr/share/zabbix/schema/database/mysql # mysql -p -u zabbix zabbix < schema.sql Enter password: # mysql -p -u zabbix zabbix < images.sql Enter password: # mysql -p -u zabbix zabbix < data.sql Enter password: Started zabbix-server service then browsed to http://localhost/zabbix and configured the database. When complete the default administrative login in Admin/zabbix. It's currently complaining that zabbix server is not running so i'll have to look into this more later. There is also a directory for database upgrades, so this seems quite a manual package to use.
There is no mention of any of this in any readme or readme.urpmi so fumbling in the dark somewhat, but the zabbix wiki has useful info for redhat/debian which is guidance at least, even if not completely accurate for Mageia. https://www.zabbix.com/documentation/2.0/manual/installation/install_from_packages
I aggree it is far from easy but I managed to run zabbix-server, zabbix-agent, zabbix-web with sqlite under mga3 x86_64 but I had to do a lot of manual configuration with the help of your link. may be you need to restart "systemctl stop zabbix-server","systemctl start zabbix-server" zabbix-server ? this package would need some improvement ...
I think the problem is that zabbix-server is actually 3 builds, one for each database type. zabbix-server package itself creates a symlink through alternatives. # alternatives --config zabbix-server Once I discovered this (by removing the others) then zabbix-server starts as it should. Previously, although it was set to use mysql in /etc/zabbix/zabbix_server.conf it was actually starting the pgsql version. zabbix-server now shows as running in the web interface \o/ Testing the update next in mga3 64
Testing complete mga3 64 Verified the service could be restarted after upgrade and the web interface still worked and produced data, and warnings about low disk space :) After installing zabbix-agent on a remote computer and configuring /etc/zabbix/zabbix-agentd.conf with correct host and ip information then starting zabbix-agent service it could then be configured as a host in 'zabbix server' group with a template added on the server web interface and showed as connected (green Z).
Whiteboard: (none) => has_procedure mga3-64-ok
Setting the 'OS Linux Server' template against the remote computer collects lots of data on cpu load, memory, time etc
Also note that the mysql.sock path of the server should also be altered in /etc/zabbix/zabbix_server.conf if using mysql as it is currently commented but set to /tmp/mysql.sock by default. It should be /var/lib/mysql/mysql.sock. Testing complete mga3 32
Whiteboard: has_procedure mga3-64-ok => has_procedure mga3-64-ok mga3-32-ok
Advisory uploaded. Validating. Could sysadmin please push from 3 core/updates_testing to updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure mga3-64-ok mga3-32-ok => has_procedure advisory mga3-64-ok mga3-32-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0015.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
LWN reference for CVE-2013-5743: http://lwn.net/Vulnerabilities/581559/