Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2011-2904 CVE-2011-3263 CVE-2011-3264 zabbix: multiple flaws in zabbix < 1.8.6|
|Product:||[Other] Security Response||Reporter:||Vincent Danen <vdanen>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED CURRENTRELEASE||QA Contact:|
|Version:||unspecified||CC:||dan, jeff, nelsonab, volker27|
|Fixed In Version:||zabbix 1.8.6||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2014-01-06 14:33:48 EST||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||729164, 729165|
Description Vincent Danen 2011-08-08 17:35:13 EDT
A vulnerability was reported , in Zabbix where input passed to the "backurl" parameter in acknow.php is improperly sanitized before being returned to the user. This could be used to facilitate a cross-site scripting attack. This flaw is fixed in Zabbix 1.8.6 .  http://secunia.com/advisories/45502  https://support.zabbix.com/browse/ZBX-3835  http://www.zabbix.com/rn1.8.6.php
Comment 1 Vincent Danen 2011-08-08 17:36:49 EDT
Created zabbix tracking bugs for this issue Affects: fedora-all [bug 729164] Affects: epel-all [bug 729165]
Comment 3 Vincent Danen 2011-08-19 17:45:03 EDT
There were more issues corrected in zabbix 1.8.6, noted below: Common Vulnerabilities and Exposures assigned an identifier CVE-2011-2904 to the following vulnerability: Name: CVE-2011-2904 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2904 Assigned: 20110727 Reference: http://www.openwall.com/lists/oss-security/2011/08/08/2 Reference: http://www.openwall.com/lists/oss-security/2011/08/09/5 Reference: http://www.zabbix.com/rn1.8.6.php Reference: https://bugzilla.redhat.com/show_bug.cgi?id=729162 Reference: https://support.zabbix.com/browse/ZBX-3835 Reference: http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063904.html Reference: http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063884.html Reference: http://www.securityfocus.com/bid/49016 Reference: http://secunia.com/advisories/45502 Reference: http://secunia.com/advisories/45677 Reference: http://xforce.iss.net/xforce/xfdb/69025 Cross-site scripting (XSS) vulnerability in acknow.php in Zabbix before 1.8.6 allows remote attackers to inject arbitrary web script or HTML via the backurl parameter. Common Vulnerabilities and Exposures assigned an identifier CVE-2011-3263 to the following vulnerability: Name: CVE-2011-3263 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3263 Assigned: 20110819 Reference: http://www.zabbix.com/rn1.8.6.php Reference: https://support.zabbix.com/browse/ZBX-3794 zabbix_agentd in Zabbix before 1.8.6 and 1.9.x before 1.9.4 allows context-dependent attackers to cause a denial of service (CPU consumption) by executing the vfs.file.cksum command for a special device, as demonstrated by the /dev/urandom device. Common Vulnerabilities and Exposures assigned an identifier CVE-2011-3264 to the following vulnerability: Name: CVE-2011-3264 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3264 Assigned: 20110819 Reference: http://www.zabbix.com/rn1.8.6.php Reference: https://support.zabbix.com/browse/ZBX-3840 Zabbix before 1.8.6 allows remote attackers to obtain sensitive information via an invalid srcfld2 parameter to popup.php, which reveals the installation path in an error message.
Comment 4 Vincent Danen 2011-08-19 17:45:58 EDT
Looks like we're ok on the Fedora side (1.8.6 in F14/F15, in testing for F16), and EPEL6 has 1.8.6 in testing as well. I'm unsure whether or not all of these flaws affect EPEL4/5 though; it's at 1.4.6/1.4.7.
Comment 5 Volker Fröhlich 2013-01-22 10:58:01 EST
Only EPEL 5 should be left: https://support.zabbix.com/browse/ZBX-3840?focusedCommentId=74131#comment-74131
Comment 6 Volker Fröhlich 2014-01-06 14:33:48 EST
zabbix 1.4.7 was retired and blocked in EPEL 5, as there is no upstream support for this version. This was the only remaining version potentially or actually prone to this issue, thus closing. Users are encouraged to update to zabbix20 or later.