Gentoo Archives: gentoo-announce

From: Aaron Bauman <bman@g.o>
To: gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 202101-11 ] Zabbix: Root privilege escalation
Date: Thu, 21 Jan 2021 19:35:16
Message-Id: YAnT6zb13CZF/ezY@samurai
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 202101-11
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 https://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: Zabbix: Root privilege escalation
9 Date: January 21, 2021
10 Bugs: #629882, #629884
11 ID: 202101-11
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Multiple vulnerabilities were discovered in Gentoo's ebuild for Zabbix
19 which could lead to root privilege escalation.
20
21 Background
22 ==========
23
24 Zabbix is software for monitoring applications, networks, and servers.
25
26 Affected packages
27 =================
28
29 -------------------------------------------------------------------
30 Package / Vulnerable / Unaffected
31 -------------------------------------------------------------------
32 1 net-analyzer/zabbix < 4.4.6 >= 3.0.30:0/3.0
33 >= 4.0.18:0/4.0
34
35 Description
36 ===========
37
38 It was discovered that Gentoo's Zabbix ebuild did not properly set
39 permissions or placed the pid file in an unsafe directory.
40
41 Impact
42 ======
43
44 A local attacker could escalate privileges.
45
46 Workaround
47 ==========
48
49 There is no known workaround at this time.
50
51 Resolution
52 ==========
53
54 All Zabbix 3.0.x users should upgrade to the latest version:
55
56 # emerge --sync
57 # emerge --ask --oneshot -v ">=net-analyzer/zabbix-3.0.30:0/3.0"
58
59 All Zabbix 4.0.x users should upgrade to the latest version:
60
61 # emerge --sync
62 # emerge --ask --oneshot -v ">=net-analyzer/zabbix-4.0.18:0/4.0"
63
64 All other Zabbix users should upgrade to the latest version:
65
66 # emerge --sync
67 # emerge --ask --oneshot --verbose ">=net-analyzer/zabbix-4.4.6"
68
69 References
70 ==========
71
72
73 Availability
74 ============
75
76 This GLSA and any updates to it are available for viewing at
77 the Gentoo Security Website:
78
79 https://security.gentoo.org/glsa/202101-11
80
81 Concerns?
82 =========
83
84 Security is a primary focus of Gentoo Linux and ensuring the
85 confidentiality and security of our users' machines is of utmost
86 importance to us. Any security concerns should be addressed to
87 security@g.o or alternatively, you may file a bug at
88 https://bugs.gentoo.org.
89
90 License
91 =======
92
93 Copyright 2021 Gentoo Foundation, Inc; referenced text
94 belongs to its owner(s).
95
96 The contents of this document are licensed under the
97 Creative Commons - Attribution / Share Alike license.
98
99 https://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature