[ZBX-5924] Possible security issue due to misuse of the libcurl API Created: 2012 Dec 02 Updated: 2020 Jul 16 Resolved: 2014 Jan 31 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | Documentation (D), Proxy (P), Server (S) |
Affects Version/s: | 2.0.3 |
Fix Version/s: | 1.8.18rc1, 2.0.8rc1, 2.1.2 |
Type: | Defect (Security) | Priority: | Minor |
Reporter: | Dmitry Smirnov | Assignee: | Andris Zeila |
Resolution: | Fixed | Votes: | 2 |
Labels: | curl, security, ssl, trivial | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified | ||
Environment: |
Debian |
Description |
Alessandro Ghedini on behalf of Debian security team kindly shared his concerns regarding the following: We recently discovered that zabbix is using the libcurl API in a way that may not be what the original author intended. From the file "src/libs/zbxmedia/eztexting.c": if (CURLE_OK != (err = curl_easy_setopt(easy_handle, opt = CURLOPT_USERAGENT, "Zabbix " ZABBIX_VERSION)) || Setting the value to "1" does not enable the host checks (well, not all of them) From the libcurl documentation: > When CURLOPT_SSL_VERIFYHOST is 2, that certificate must indicate Note that this should be fixed anyway, since as of curl v7.28.1 the value "1" is not a valid value |
Comments |
Comment by Oleksii Zagorskyi [ 2012 Dec 02 ] |
(1) Also it should be documented. wiper 2.0.8 2.2.0 Please review. zalex_ua Pretty simple and clear, thanks ! |
Comment by Henri Salo [ 2013 Jan 05 ] |
Please use CVE-2012-6086 for this issue. CVE request http://www.openwall.com/lists/oss-security/2013/01/02/1 |
Comment by Matthew Marlowe [ 2013 Jan 19 ] |
As the gentoo package maintainer for Zabbix, I'd like to mention that this issue has reached the attention of our security team, and that curl 7.28.1 is currently one of the releases available to our users....if this bug isn't addressed shortly, I'll need to update our package to indicate it is not compatible with newer versions of curl. |
Comment by Volker Fröhlich [ 2013 Apr 28 ] |
Please take the time to address this 5 month old CVE! |
Comment by Matthew Marlowe [ 2013 Jun 22 ] |
curl 7.29 has now gone stable in gentoo although prior versions are still supported, please resolve this bug....thanks. |
Comment by Andris Zeila [ 2013 Jul 29 ] |
Fixed in development branch svn://svn.zabbix.com/branches/dev/ZBX-5924 |
Comment by Volker Fröhlich [ 2013 Jul 30 ] |
Backported to EPEL 5 and 6 zabbix20 packages, as well as zabbix 2.0 packages in Fedora. 1.8 in EPEL 6 remains to be done. |
Comment by Alexander Vladishev [ 2013 Jul 31 ] |
Successfully tested! |
Comment by Andris Zeila [ 2013 Jul 31 ] |
Released in: |
Comment by Volker Fröhlich [ 2013 Aug 04 ] |
Backported to 1.8 in EPEL 6 (1.8.17-2) |
Comment by richlv [ 2013 Oct 26 ] |
subissue (1) has not been closed zalex_ua Closed already. |