Upstream has released 2.2.2rc1 on February 3, fixing two security issues: http://www.zabbix.com/rn2.2.2rc1.php Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Zabbix 2.2.2 final is out, also fixing one more security issue: http://www.zabbix.com/rn2.2.2.php
Summary: zabbix new security issues CVE-2014-1682 and CVE-2013-5572 => zabbix new security issues CVE-2014-1685, CVE-2014-1682, and CVE-2013-5572
The issues are also fixed in 2.0.11. Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated zabbix packages fix security vulnerabilities: Zabbix before 2.0.11 allows remote authenticated users to discover the LDAP bind password by leveraging management-console access and reading the ldap_bind_password value in the HTML source code (CVE-2013-5572). Zabbix before 2.0.11 allows switching users without proper credentials when using HTTP authentication (CVE-2014-1682). In Zabbix before 2.0.11, the admin user is able to update media for other users (CVE-2014-1685). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5572 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1682 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1685 https://support.zabbix.com/browse/ZBX-6721 https://support.zabbix.com/browse/ZBX-7693 https://support.zabbix.com/browse/ZBX-7703 http://www.zabbix.com/rn2.0.11.php ======================== Updated packages in core/updates_testing: ======================== zabbix-server-2.0.11-1.mga3 zabbix-server-mysql-2.0.11-1.mga3 zabbix-server-pgsql-2.0.11-1.mga3 zabbix-server-sqlite-2.0.11-1.mga3 zabbix-proxy-2.0.11-1.mga3 zabbix-proxy-mysql-2.0.11-1.mga3 zabbix-proxy-pgsql-2.0.11-1.mga3 zabbix-proxy-sqlite-2.0.11-1.mga3 zabbix-java-2.0.11-1.mga3 zabbix-agent-2.0.11-1.mga3 zabbix-web-2.0.11-1.mga3 zabbix-server-2.0.11-1.mga4 zabbix-server-mysql-2.0.11-1.mga4 zabbix-server-pgsql-2.0.11-1.mga4 zabbix-server-sqlite-2.0.11-1.mga4 zabbix-proxy-2.0.11-1.mga4 zabbix-proxy-mysql-2.0.11-1.mga4 zabbix-proxy-pgsql-2.0.11-1.mga4 zabbix-proxy-sqlite-2.0.11-1.mga4 zabbix-java-2.0.11-1.mga4 zabbix-agent-2.0.11-1.mga4 zabbix-web-2.0.11-1.mga4 from SRPMS: zabbix-2.0.11-1.mga3.src.rpm zabbix-2.0.11-1.mga4.src.rpm
CC: (none) => mityaVersion: Cauldron => 4Assignee: mitya => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Procedure: https://bugs.mageia.org/show_bug.cgi?id=11868#c7 onwards
Whiteboard: MGA3TOO => MGA3TOO has_procedure
Tested on Mageia 4 64 After install, created a mysql database zabbix. Set these details in /etc/zabbix/zabbix_server.conf. Imported the database schema, images and data.. # cd /usr/share/zabbix/schema/database/mysql # mysql zabbix < schema.sql Enter password: # mysql zabbix < images.sql Enter password: # mysql zabbix < data.sql Enter password: Started zabbix-server service then browsed to http://localhost/zabbix and configured the database. When complete the default administrative login in Admin/zabbix. works all ok here
CC: (none) => ennael1Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-64-ok
Tested on Mageia 4 32 After install, created a mysql database zabbix. Set these details in /etc/zabbix/zabbix_server.conf. Imported the database schema, images and data.. # cd /usr/share/zabbix/schema/database/mysql # mysql zabbix < schema.sql Enter password: # mysql zabbix < images.sql Enter password: # mysql zabbix < data.sql Enter password: Started zabbix-server service then browsed to http://localhost/zabbix and configured the database. When complete the default administrative login in Admin/zabbix. works all ok here
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga4-64-ok mga4-32-ok
Depending on your sql configuration you might need -u <database user> and -p in the mysql commands. The -p makes it ask for a password, it doesn't take the next word to be the password. eg. With database name,database user & database password of zabbix mysql -u zabbix -p zabbix < schema.sql Enter password:<enter zabbix>
Testing mga3 32 & 64 now
Testing complete mga3 32 & 64
Whiteboard: MGA3TOO has_procedure mga4-64-ok mga4-32-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok mga4-32-ok
Advisory uploaded. Validating. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok mga4-32-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-64-ok mga4-32-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0095.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/588437/