Advisories ยป MGASA-2014-0433

Updated zabbix package fixes security vulnerability

Publication date: 29 Oct 2014
Modification date: 29 Oct 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-3005

Description

It was reported that the Zabbix frontend supported an XML data import feature,
where on the server it used DOMDocument to parse the XML.  By default,
DOMDocument also parses the external DTD, which could allow a remote attacker
to use a crafted XML file causing Zabbix to read an arbitrary local file, and
send the contents of the specified file to a remote server (CVE-2014-3005).
                

References

SRPMS

3/core

4/core