Current zabbix ports version is vulnerable. Please, update it to latest release http://www.zabbix.com/rn1.8.10.php. See '[ZBX-4015] fixed multiple XSS issues' PR.
Maintainer of net-mgmt/zabbix-server, Please note that PR ports/163691 has just been submitted. If it contains a patch for an upgrade, an enhancement or a bug fix you agree on, reply to this email stating that you approve the patch and a committer will take care of it. The full text of the PR can be found at: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/163691 -- Edwin Groothuis via the GNATS Auto Assign Tool edwin@FreeBSD.org
State Changed From-To: open->feedback Awaiting maintainers feedback (via the GNATS Auto Assign Tool)
crees 2011-12-29 11:19:26 UTC FreeBSD ports repository Modified files: net-mgmt/zabbix-frontend Makefile Log: Mark FORBIDDEN; multiple XSS vulnerabilities PR: ports/163691 Submitted by: Pavel Timofeev <timp87@gmail.com> Obtained from: https://support.zabbix.com/browse/ZBX-4015 Security: ZBX-4015 Revision Changes Path 1.5 +2 -0 ports/net-mgmt/zabbix-frontend/Makefile _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
crees 2011-12-29 13:04:24 UTC FreeBSD ports repository Modified files: security/vuxml vuln.xml Log: Document XSS vulnerability in net-mgmt/zabbix-frontend PR: ports/163691 Obtained from: https://support.zabbix.com/browse/ZBX-4015 Security: ZBX-4015 Revision Changes Path 1.2531 +27 -1 ports/security/vuxml/vuln.xml _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
>Submitter-Id: current-users >Originator: Jim Riggs >Organization: >Confidential: no >Synopsis: Re: ports/163691: [vulnerable] please, update net-mgmt/zabbix-server to 1.8.10 >Severity: non-critical >Priority: low >Category: ports >Class: maintainer-update >Release: FreeBSD 8.2-RELEASE amd64 >Environment: System: FreeBSD packagebuild.peace.daveramsey.com 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Feb 17 02:41:51 UTC 2011 >Description: - Update to 1.8.10 Generated with FreeBSD Port Tools 0.99 >How-To-Repeat: >Fix: --- zabbix-server-1.8.10,2.patch begins here --- diff -ruN --exclude=CVS /usr/ports/net-mgmt/zabbix-server/Makefile /root/zabbix-server/Makefile --- /usr/ports/net-mgmt/zabbix-server/Makefile 2011-10-14 20:26:34.000000000 -0500 +++ /root/zabbix-server/Makefile 2011-12-29 07:17:52.580751271 -0600 @@ -6,7 +6,7 @@ # PORTNAME= zabbix -PORTVERSION= 1.8.8 +PORTVERSION= 1.8.10 PORTEPOCH= 2 CATEGORIES= net-mgmt MASTER_SITES= SF/zabbix/ZABBIX%20Latest%20Stable/${PORTVERSION} @@ -48,8 +48,6 @@ CONFIGURE_ARGS+= --enable-${ZABBIX_BUILD} .if ${ZABBIX_BUILD} != "agent" -CPPFLAGS+= -I${LOCALBASE}/include -CONFIGURE_ENV+= LDFLAGS="-L${LOCALBASE}/lib" LIB_DEPENDS= netsnmp:${PORTSDIR}/net-mgmt/net-snmp \ execinfo:${PORTSDIR}/devel/libexecinfo diff -ruN --exclude=CVS /usr/ports/net-mgmt/zabbix-server/distinfo /root/zabbix-server/distinfo --- /usr/ports/net-mgmt/zabbix-server/distinfo 2011-10-14 20:26:34.000000000 -0500 +++ /root/zabbix-server/distinfo 2011-12-29 07:16:16.306217215 -0600 @@ -1,2 +1,2 @@ -SHA256 (zabbix-1.8.8.tar.gz) = 25eded2536213cf1c75631f2becf46349b915dd8782698f5b2936f5abb7eeb99 -SIZE (zabbix-1.8.8.tar.gz) = 4213181 +SHA256 (zabbix-1.8.10.tar.gz) = d965d23f2ce8c7ddee7a1532863a208fae28958e3fc0871e0229ffa06f88a54b +SIZE (zabbix-1.8.10.tar.gz) = 4217417 diff -ruN --exclude=CVS /usr/ports/net-mgmt/zabbix-server/pkg-plist.frontend /root/zabbix-server/pkg-plist.frontend --- /usr/ports/net-mgmt/zabbix-server/pkg-plist.frontend 2011-10-14 20:26:34.000000000 -0500 +++ /root/zabbix-server/pkg-plist.frontend 2011-12-29 07:26:44.520198505 -0600 @@ -25,6 +25,7 @@ %%WWWDIR%%/api/classes/class.cmediatype.php %%WWWDIR%%/api/classes/class.cproxy.php %%WWWDIR%%/api/classes/class.cscreen.php +%%WWWDIR%%/api/classes/class.cscreenitem.php %%WWWDIR%%/api/classes/class.cscript.php %%WWWDIR%%/api/classes/class.ctemplate.php %%WWWDIR%%/api/classes/class.ctrigger.php @@ -427,8 +428,6 @@ %%WWWDIR%%/styles/div.css %%WWWDIR%%/styles/form.css %%WWWDIR%%/styles/ie.css -%%WWWDIR%%/styles/ie_css_bb.css -%%WWWDIR%%/styles/ie_css_ob.css %%WWWDIR%%/styles/ie_css_od.css %%WWWDIR%%/styles/link.css %%WWWDIR%%/styles/p.css --- zabbix-server-1.8.10,2.patch ends here ---
Responsible Changed From-To: freebsd-ports-bugs->crees I'll take it.
crees 2011-12-30 19:33:10 UTC FreeBSD ports repository Modified files: net-mgmt/zabbix-frontend Makefile net-mgmt/zabbix-server Makefile distinfo pkg-plist.frontend Log: - Update to 1.8.10,2 - Deforbid zabbix-frontend PR: ports/163691 Submitted by: Jim Riggs <ports@christianserving.org> (maintainer) Revision Changes Path 1.6 +0 -2 ports/net-mgmt/zabbix-frontend/Makefile 1.16 +1 -3 ports/net-mgmt/zabbix-server/Makefile 1.8 +2 -2 ports/net-mgmt/zabbix-server/distinfo 1.7 +2 -3 ports/net-mgmt/zabbix-server/pkg-plist.frontend _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: feedback->closed Update committed. Pavel, thanks for the heads-up, and Jim, thanks for the seriously fast update!