A security flaw was found in the way Zabbix, an open-source monitoring solution for IT infrastructure, used (lib)cURL's CURLOPT_SSL_VERIFYHOST variable, when doing certificate validation (value of '1' meaning only check for the existence of a common name was used instead of value '2' - which also checks if the particular common name matches the requested hostname of the server). A rogue service could use this flaw to conduct man-in-the-middle (MiTM) attacks. Upstream bug report: [1] https://support.zabbix.com/browse/ZBX-5924 References: [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697443 [3] http://www.openwall.com/lists/oss-security/2013/01/02/1 [4] http://www.openwall.com/lists/oss-security/2013/01/03/1
This issue affects the versions of the zabbix package, as shipped with Fedora release of 16 and 17. Please schedule an update. -- This issue affects the version of the zabbix package, as shipped with Fedora EPEL 6. Please schedule an update. -- This issue does not affect the version of the zabbix package, as shipped with Fedora EPEL 5 (looks certificate verification is not supported yet in v.1.4.7 version, currently shipped with Fedora EPEL 5).
Created zabbix tracking bugs for this issue Affects: fedora-all [bug 892687] Affects: epel-6 [bug 892688]
There's a zabbix20 package in EPEL 6 as well.
(In reply to comment #5) > There's a zabbix20 package in EPEL 6 as well. Thank you for pointing out, Volker. Checking that one yet then.
This issue affects the version of the zabbix20 package, as shipped with Fedora EPEL 6. Please schedule an update (once there is final upstream patch available).
Created zabbix20 tracking bugs for this issue Affects: epel-6 [bug 893414]
This has already been corrected in Fedora and EPEL.