Two security issues have been reported upstream: CVE-2013-1364, ldap problem, patches to fix this attached to ZBX-6097 upstream. CVE-2012-6086, curl problem, easy to fix, this is known as ZBX-5924 upstream. Patched packages uploaded for Mageia 2 and Cauldron. Advisory: ======================== Updated zabbix packages fix security vulnerabilities: A security flaw was found in the way Zabbix 2.0.4 and earlier used cURL's CURLOPT_SSL_VERIFYHOST variable, when doing certificate validation (value of '1' meaning only check for the existence of a common name was used instead of value '2' - which also checks if the particular common name matches the requested hostname of the server). A rogue service could use this flaw to conduct man-in-the-middle (MiTM) attacks (CVE-2012-6086). It was reported that the user.login method in Zabbix 2.0.4 and earlier would accept a 'cnf' parameter containing the configuration parameters to use for LDAP authentication, which would override the configuration stored in the database. This can be used to authenticate to Zabbix using a completely different LDAP application (e.g. authenticate to Zabbix using some other LDAP directory the attacker has credentials for) (CVE-2013-1364). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6086 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1364 https://support.zabbix.com/browse/ZBX-5924 https://support.zabbix.com/browse/ZBX-6097 https://bugzilla.redhat.com/show_bug.cgi?id=892685 https://bugzilla.redhat.com/show_bug.cgi?id=901875 ======================== Updated packages in core/updates_testing: ======================== zabbix-1.8.15-3.mga2 zabbix-agent-1.8.15-3.mga2 zabbix-web-1.8.15-3.mga2 from zabbix-1.8.15-3.mga2.src.rpm
CC: (none) => mitya
Dimitri, if you want to upgrade this to 1.8.16, you could do that now. CVE-2013-1364 is fixed upstream in 1.8.16, so you could drop that patch. CVE-2012-6086 is not fixed upstream, so you would need to keep that patch.
URL: (none) => http://lwn.net/Vulnerabilities/534659/
Fedora has issued an advisory for CVE-2013-1364 on January 20: http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097642.html Replacing the advisory reference for that one. Advisory: ======================== Updated zabbix packages fix security vulnerabilities: A security flaw was found in the way Zabbix 2.0.4 and earlier used cURL's CURLOPT_SSL_VERIFYHOST variable, when doing certificate validation (value of '1' meaning only check for the existence of a common name was used instead of value '2' - which also checks if the particular common name matches the requested hostname of the server). A rogue service could use this flaw to conduct man-in-the-middle (MiTM) attacks (CVE-2012-6086). It was reported that the user.login method in Zabbix 2.0.4 and earlier would accept a 'cnf' parameter containing the configuration parameters to use for LDAP authentication, which would override the configuration stored in the database. This can be used to authenticate to Zabbix using a completely different LDAP application (e.g. authenticate to Zabbix using some other LDAP directory the attacker has credentials for) (CVE-2013-1364). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6086 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1364 https://support.zabbix.com/browse/ZBX-5924 https://support.zabbix.com/browse/ZBX-6097 https://bugzilla.redhat.com/show_bug.cgi?id=892685 http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097642.html ======================== Updated packages in core/updates_testing: ======================== zabbix-1.8.15-3.mga2 zabbix-agent-1.8.15-3.mga2 zabbix-web-1.8.15-3.mga2 from zabbix-1.8.15-3.mga2.src.rpm
Testing mga2 64 Installed zabbix, zabbix-web, zabbix-agent Created user/password and database zabbix using phpmyadmin # cd /usr/share/doc/zabbix/create/schema # cat mysql.sql | mysql -u zabbix -p zabbix Enter password: zabbix # cd /usr/share/doc/zabbix/create/data/ # cat data.sql | mysql -u zabbix -p zabbix Enter password: zabbix Wait.. # cat images_mysql.sql | mysql -u zabbix -p zabbix Enter password: zabbix # systemctl start zabbix-agent.service # systemctl start zabbix.service Configured at http://localhost/zabbix It's necessary to chmod 777 /usr/share/zabbix/conf so it can save the config, chmod 755 again afterwards. Edit /etc/zabbix/zabbix_server.conf and add the database user/password Similar to bug 7277 there are still errors on the web interface.. include(schema.inc.php): failed to open stream: No such file or directory [.php:1186] include(): Failed opening 'schema.inc.php' for inclusion (include_path='.:/usr/lib64/php/:/usr/share/pear/:/usr/share/php/') [.php:1186] Logged in as Admin/zabbix but the errors show at the top of each table and they are followed by 'Error in search request for table [name]'. Dimitri, any ideas on these errors? Permissions in /etc/httpd/conf.d/zabbix.conf maybe? Dave manually worked around it last time by adding it in php.ini but that shouldn't really be necessary. I'll start again and create the database from cli.
Dropped the zabbix database in phpmyadmin # urpme zabbix -a # rm -rf /usr/share/zabbix # rm -rf /etc/zabbix/ # ecupdt Enabling Core Updates Testing # urpmi zabbix zabbix-web zabbix-agent # cd /usr/share/doc/zabbix/create/schema/ # mysql -u zabbix -p Enter password: zabbix MariaDB [(none)]> create database zabbix character set utf8; Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> quit; # cat mysql.sql | mysql -u zabbix -p zabbix Enter password: zabbix # cd /usr/share/doc/zabbix/create/data/ # cat data.sql | mysql -u zabbix -p zabbix Enter password: zabbix Wait.. # cat images_mysql.sql | mysql -u zabbix -p zabbix Enter password: zabbix # chmod 777 /usr/share/zabbix/conf Configured at http://localhost/zabbix # chmod 755 /usr/share/zabbix/conf include(schema.inc.php): failed to open stream: No such file or directory [.php:1186] include(): Failed opening 'schema.inc.php' for inclusion (include_path='.:/usr/lib64/php/:/usr/share/pear/:/usr/share/php/') [.php:1186] Added DBPassword in /etc/zabbix/zabbix_server.conf # systemctl start zabbix.service # systemctl start zabbix-agent.service I can log in at http://localhost/zabbix with Admin/zabbix and viewing zabbix status shows the server running but not much other infomation is available due to the above errors. Enabling monitoring for localhost (Zabbix Server) under Configuration/Hosts shows info for this host but still displays the errors. This appears to be a bug in zabbix-web and zabbix/zabbix-agent seem to work ok. Should we create a separate bug for this or would you like to tackle this now?
Previous update was bug 7277 btw.
Also zabbix-agent ships two configuration files in /etc/zabbix, only one of which is used. /etc/zabbix/zabbix_agent.conf /etc/zabbix/zabbix_agentd.conf systemctl status shows it's the one with agentd which is being used so the other, appears unnecessary.
Whiteboard: (none) => has_procedure feedback
We haven't heard from Dimitri yet, so it'd be good to let him have a look at this and decide what he wants to do. It does look like these things should be fixed.
Assigning Dimitri for feedback. Please reassign to QA when you've had a chance to take a look. Thanks.
CC: (none) => qa-bugsAssignee: qa-bugs => mitya
Please test the updated Zabbix 2.0.5 package in Cauldron, after it gets pushed. There has been major update to the package, mostly influenced by Fedora approach. The "zabbix" package is gone, there are now packages for agent, server, proxy and Java gateway. Database-specific binaries have been built and packaged for server and proxy components, and update-alternatives should be used to select the binary. The package has been also updated to provide native systemd units, rather than init scripts. The CVE-2012-6086 and database config issue have been fixed. As for /etc/zabbix/zabbix_agent.conf, it is used as a config file for "zabbix_agent", a one-shot, non-daemon version of the agent that just retrieves data and prints it out. Some users might choose this way (running non-daemon agent via cron), that's why I guess the config should be kept.
Just so we're clear, the security issues were already fixed in the Cauldron package, so this bug is now just for Mageia 2, as there were issues found by QA so the update couldn't be pushed yet.
Zabbix 1.8.17 was released today (July 26): http://www.zabbix.com/rn1.8.17.php
Fedora has issued an advisory for CVE-2012-6086 on August 2: https://lists.fedoraproject.org/pipermail/package-announce/2013-September/117569.html from http://lwn.net/Vulnerabilities/568935/
Now there are some new security vulnerabilities being fixed in Zabbix. 1.8.18rc1 fixes some SQL injection vulnerabilities: https://support.zabbix.com/browse/ZBX-7091 http://www.zabbix.com/rn1.8.18rc1.php Those are also fixed in 2.0.9rc1, along with an XSS vulnerability: https://support.zabbix.com/browse/ZBX-6952 http://www.zabbix.com/rn2.0.9rc1.php
1.8.18 and 2.0.9 final are out: http://www.zabbix.com/rn1.8.18.php http://www.zabbix.com/rn2.0.9.php
Due to Mageia 2 EOL, I am making some changes to this bug and documenting them here. This bug was originally "zabbix new security issues CVE-2012-6086 and CVE-2013-1364" and was for Mageia 2. Those issues were fixed in Mageia 3 before it was released. An update had been prepared for Mageia 2, but issues found by the QA team were never addressed and the update was not released. Additional security issues, which do affect the Mageia 3 package, were later found and fixed upstream in 2.0.9rc1 and reported here in Comment 13. This bug now covers only those issues.
Version: 2 => 3Summary: zabbix new security issues CVE-2012-6086 and CVE-2013-1364 => zabbix new security issues fixed upstream in 2.0.9rc1Source RPM: zabbix-1.8.15-2.mga2.src.rpm => zabbix-2.0.5-1.mga3.src.rpmWhiteboard: has_procedure feedback => (none)
Resetting this back to a Mageia 2 bug and closing. We can use Bug 11868 for a Mageia 3 update now.
Status: NEW => RESOLVEDVersion: 3 => 2Resolution: (none) => OLDSummary: zabbix new security issues fixed upstream in 2.0.9rc1 => zabbix new security issues CVE-2012-6086 and CVE-2013-1364Source RPM: zabbix-2.0.5-1.mga3.src.rpm => zabbix-1.8.15-2.mga2.src.rpm