Updated zabbix packages fix multiple vulnerabilities
Publication date: 25 Feb 2014Modification date: 25 Feb 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2013-5572 , CVE-2014-1682 , CVE-2014-1685
Description
Updated zabbix packages fix security vulnerabilities:
Zabbix before 2.0.11 allows remote authenticated users to discover the LDAP
bind password by leveraging management-console access and reading the
ldap_bind_password value in the HTML source code (CVE-2013-5572).
Zabbix before 2.0.11 allows switching users without proper credentials when
using HTTP authentication (CVE-2014-1682).
In Zabbix before 2.0.11, the admin user is able to update media for other
users (CVE-2014-1685).
References
- https://support.zabbix.com/browse/ZBX-6721
- https://support.zabbix.com/browse/ZBX-7693
- https://support.zabbix.com/browse/ZBX-7703
- http://www.zabbix.com/rn2.0.11.php
- https://bugs.mageia.org/show_bug.cgi?id=12574
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5572
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1682
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1685
SRPMS
4/core
- zabbix-2.0.11-1.mga4
3/core
- zabbix-2.0.11-1.mga3