A vulnerability was reported [1],[2] in Zabbix where input passed to the "backurl" parameter in acknow.php is improperly sanitized before being returned to the user. This could be used to facilitate a cross-site scripting attack. This flaw is fixed in Zabbix 1.8.6 [3]. [1] http://secunia.com/advisories/45502 [2] https://support.zabbix.com/browse/ZBX-3835 [3] http://www.zabbix.com/rn1.8.6.php
Created zabbix tracking bugs for this issue Affects: fedora-all [bug 729164] Affects: epel-all [bug 729165]
This issue was assigned the name CVE-2011-2904.
There were more issues corrected in zabbix 1.8.6, noted below: Common Vulnerabilities and Exposures assigned an identifier CVE-2011-2904 to the following vulnerability: Name: CVE-2011-2904 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2904 Assigned: 20110727 Reference: http://www.openwall.com/lists/oss-security/2011/08/08/2 Reference: http://www.openwall.com/lists/oss-security/2011/08/09/5 Reference: http://www.zabbix.com/rn1.8.6.php Reference: https://bugzilla.redhat.com/show_bug.cgi?id=729162 Reference: https://support.zabbix.com/browse/ZBX-3835 Reference: http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063904.html Reference: http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063884.html Reference: http://www.securityfocus.com/bid/49016 Reference: http://secunia.com/advisories/45502 Reference: http://secunia.com/advisories/45677 Reference: http://xforce.iss.net/xforce/xfdb/69025 Cross-site scripting (XSS) vulnerability in acknow.php in Zabbix before 1.8.6 allows remote attackers to inject arbitrary web script or HTML via the backurl parameter. Common Vulnerabilities and Exposures assigned an identifier CVE-2011-3263 to the following vulnerability: Name: CVE-2011-3263 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3263 Assigned: 20110819 Reference: http://www.zabbix.com/rn1.8.6.php Reference: https://support.zabbix.com/browse/ZBX-3794 zabbix_agentd in Zabbix before 1.8.6 and 1.9.x before 1.9.4 allows context-dependent attackers to cause a denial of service (CPU consumption) by executing the vfs.file.cksum command for a special device, as demonstrated by the /dev/urandom device. Common Vulnerabilities and Exposures assigned an identifier CVE-2011-3264 to the following vulnerability: Name: CVE-2011-3264 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3264 Assigned: 20110819 Reference: http://www.zabbix.com/rn1.8.6.php Reference: https://support.zabbix.com/browse/ZBX-3840 Zabbix before 1.8.6 allows remote attackers to obtain sensitive information via an invalid srcfld2 parameter to popup.php, which reveals the installation path in an error message.
Looks like we're ok on the Fedora side (1.8.6 in F14/F15, in testing for F16), and EPEL6 has 1.8.6 in testing as well. I'm unsure whether or not all of these flaws affect EPEL4/5 though; it's at 1.4.6/1.4.7.
Only EPEL 5 should be left: https://support.zabbix.com/browse/ZBX-3840?focusedCommentId=74131#comment-74131
zabbix 1.4.7 was retired and blocked in EPEL 5, as there is no upstream support for this version. This was the only remaining version potentially or actually prone to this issue, thus closing. Users are encouraged to update to zabbix20 or later.