Bugzilla – Bug 1019810
[server:monitoring] CVE-2016-10134: Re: CVE Request: Zabbix: SQL injection vulnerabilities in "Latest data"
Last modified: 2017-01-22 20:21:53 UTC
CVE-2016-10134 failure to sanitize input in the toggle_ids array in the latest.php page. https://support.zabbix.com/browse/ZBX-11023 https://bugs.debian.org/850936 Use CVE-2016-10134. The scope of this CVE does not include the "2016 Sep 07 18:41" comment of "could it be that jsrpc.php was affected, too ? if so, the changelog entry should probably be changed to either include all affected endpoints, or at least not exclusively mention latest data." If there is an exploitable problem other than with the latest.php?toggle_ids[]= attack vector, then it should have a separate CVE ID. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10134 http://seclists.org/oss-sec/2017/q1/79
(not in any opensuse distribution as far as I see, please check if the s:m versions is up to d ate)
Version 3.0.7 that is in server:monitoring:zabbix zabbix30 is fixed one, idea of zabbix in server:monitoring is that it should/would be replaced with version from server:monitoring:zabbix eventually. Versions 2.2.14 (in s:m) and 3.0.7 (in s:m:zabbix) are LTS releases and both are fixed ones
Packages were already updated