Zabbix 1.8.10rc1 was released [1] to correct persistant cross-site scripting vulnerabilities due to improper sanitization of the gname variable when creating user and host groups [2]. [1] http://www.zabbix.com/rn1.8.10rc1.php [2] https://support.zabbix.com/browse/ZBX-4015
CVE requested: http://www.openwall.com/lists/oss-security/2011/12/16/2
This was assigned the name CVE-2011-4615: http://www.openwall.com/lists/oss-security/2011/12/16/3
Created zabbix tracking bugs for this issue Affects: fedora-all [bug 768539] Affects: epel-6 [bug 768540]
zabbix-1.8.10-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
zabbix-1.8.10-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
zabbix-1.8.10-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
As far as EPEL 6 and Fedora are concerned, this can be closed, shipping 1.8.14.
EPEL5 has zabbix-1.4.7-1.el5. This bug does not mention if that version is affected or not. Does it need fixing?
zabbix 1.4.7 was retired and blocked in EPEL 5, as there is no upstream support for this version. This was the only remaining version potentially or actually prone to this issue, thus closing. Users are encouraged to update to zabbix20 or later.