Updated zabbix package fixes security vulnerability
Publication date: 29 Oct 2014Modification date: 29 Oct 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-3005
Description
It was reported that the Zabbix frontend supported an XML data import feature, where on the server it used DOMDocument to parse the XML. By default, DOMDocument also parses the external DTD, which could allow a remote attacker to use a crafted XML file causing Zabbix to read an arbitrary local file, and send the contents of the specified file to a remote server (CVE-2014-3005).
References
- https://bugs.mageia.org/show_bug.cgi?id=13628
- https://support.zabbix.com/browse/ZBX-8151
- http://www.zabbix.com/rn2.0.12.php
- http://www.zabbix.com/rn2.0.13.php
- https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134885.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3005
SRPMS
3/core
- zabbix-2.0.13-1.mga3
4/core
- zabbix-2.0.13-1.mga4