Fedora has issued an advisory on June 21: https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134885.html According to the upstream bug report, it'll be fixed in 2.0.13: https://support.zabbix.com/browse/ZBX-8151 Fedora also has a patch: http://pkgs.fedoraproject.org/cgit/zabbix.git/plain/zabbix-2.0.12-zbx8151.patch?h=f20&id=205ba2b6c95e31fdea8c04d110e418b23559e044 Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Upstream has released Zabbix 2.0.13 on September 10: http://www.zabbix.com/rn2.0.13.php Freeze push requested for Cauldron. Updated packages uploaded for Mageia 3 and Mageia 4. Advisory: ======================== Updated zabbix package fixes security vulnerability: It was reported that the Zabbix frontend supported an XML data import feature, where on the server it used DOMDocument to parse the XML. By default, DOMDocument also parses the external DTD, which could allow a remote attacker to use a crafted XML file causing Zabbix to read an arbitrary local file, and send the contents of the specified file to a remote server (CVE-2014-3005). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3005 https://support.zabbix.com/browse/ZBX-8151 http://www.zabbix.com/rn2.0.12.php http://www.zabbix.com/rn2.0.13.php https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134885.html ======================== Updated packages in core/updates_testing: ======================== zabbix-server-2.0.13-1.mga3 zabbix-server-mysql-2.0.13-1.mga3 zabbix-server-pgsql-2.0.13-1.mga3 zabbix-server-sqlite-2.0.13-1.mga3 zabbix-proxy-2.0.13-1.mga3 zabbix-proxy-mysql-2.0.13-1.mga3 zabbix-proxy-pgsql-2.0.13-1.mga3 zabbix-proxy-sqlite-2.0.13-1.mga3 zabbix-java-2.0.13-1.mga3 zabbix-agent-2.0.13-1.mga3 zabbix-web-2.0.13-1.mga3 zabbix-server-2.0.13-1.mga4 zabbix-server-mysql-2.0.13-1.mga4 zabbix-server-pgsql-2.0.13-1.mga4 zabbix-server-sqlite-2.0.13-1.mga4 zabbix-proxy-2.0.13-1.mga4 zabbix-proxy-mysql-2.0.13-1.mga4 zabbix-proxy-pgsql-2.0.13-1.mga4 zabbix-proxy-sqlite-2.0.13-1.mga4 zabbix-java-2.0.13-1.mga4 zabbix-agent-2.0.13-1.mga4 zabbix-web-2.0.13-1.mga4 from SRPMS: zabbix-2.0.13-1.mga3.src.rpm zabbix-2.0.13-1.mga4.src.rpm
Version: Cauldron => 4Assignee: mitya => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Testing Procedure: https://bugs.mageia.org/show_bug.cgi?id=11868#c7 onwards
Whiteboard: MGA3TOO => MGA3TOO has_procedure
Testing is finished and all working no problems. Update validated sysadmins push this to updates.
Keywords: (none) => validated_updateCC: (none) => ozkyster, sysadmin-bugsWhiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-64-OK MGA3-32-OK
Advisory uploaded.
CC: (none) => remiWhiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-64-OK MGA3-32-OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-64-OK MGA3-32-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0433.html
Status: NEW => RESOLVEDResolution: (none) => FIXED