Debian Bug report logs -
#867532
cacti: CVE-2017-10970: XSS vulnerability via link.php
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>:
Bug#867532; Package src:cacti.
(Fri, 07 Jul 2017 04:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>.
(Fri, 07 Jul 2017 04:39:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: cacti
Version: 1.1.10+ds1-6
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/Cacti/cacti/issues/838
Hi,
the following vulnerability was published for cacti.
CVE-2017-10970[0]:
| Cross-site scripting (XSS) vulnerability in link.php in Cacti 1.1.12
| allows remote anonymous users to inject arbitrary web script or HTML
| via the id parameter, related to the die_html_input_error function in
| lib/html_validate.php.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-10970
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10970
[1] https://github.com/Cacti/cacti/issues/838
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>:
Bug#867532; Package src:cacti.
(Fri, 07 Jul 2017 04:51:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>.
(Fri, 07 Jul 2017 04:51:02 GMT) (full text, mbox, link).
Message #10 received at 867532@bugs.debian.org (full text, mbox, reply):
Upstream commit 11e7294de8e344765d6fefd8295ca01f6b0fa7a7 introduced:
better validation log messages
If there is an unchecked request variable, let the developer know what
variable and what it was set to.
Unless I'm completely mistaken that should be the commit which
introduced the issue. As such stretch and jessie should not be
affected.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>:
Bug#867532; Package src:cacti.
(Fri, 07 Jul 2017 07:39:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Paul Gevers <elbrus@debian.org>:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>.
(Fri, 07 Jul 2017 07:39:06 GMT) (full text, mbox, link).
Message #15 received at 867532@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: notfound -1 0.8.8h+ds1-10
Control: found -1 1.1.3+ds1-1
Control: severity -1 serious
On 07-07-17 06:48, Salvatore Bonaccorso wrote:
> Unless I'm completely mistaken that should be the commit which
> introduced the issue. As such stretch and jessie should not be
> affected.
I believe your conclusion is correct. Set affected versions accordingly.
Rather busy, but I should be able to fix this in unstable. Let's prevent
this issue migrating to testing.
Paul
[signature.asc (application/pgp-signature, attachment)]
Marked as found in versions cacti/1.1.3+ds1-1.
Request was from Paul Gevers <elbrus@debian.org>
to 867532-submit@bugs.debian.org.
(Fri, 07 Jul 2017 07:39:06 GMT) (full text, mbox, link).
Severity set to 'serious' from 'important'
Request was from Paul Gevers <elbrus@debian.org>
to 867532-submit@bugs.debian.org.
(Fri, 07 Jul 2017 07:39:07 GMT) (full text, mbox, link).
Reply sent
to Paul Gevers <elbrus@debian.org>:
You have taken responsibility.
(Fri, 07 Jul 2017 21:06:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 07 Jul 2017 21:06:03 GMT) (full text, mbox, link).
Message #24 received at 867532-close@bugs.debian.org (full text, mbox, reply):
Source: cacti
Source-Version: 1.1.12+ds1-1
We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 867532@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Paul Gevers <elbrus@debian.org> (supplier of updated cacti package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 07 Jul 2017 21:07:43 +0200
Source: cacti
Binary: cacti
Architecture: source
Version: 1.1.12+ds1-1
Distribution: unstable
Urgency: medium
Maintainer: Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
Changed-By: Paul Gevers <elbrus@debian.org>
Description:
cacti - web interface for graphing of monitoring systems
Closes: 867532
Changes:
cacti (1.1.12+ds1-1) unstable; urgency=medium
.
* New upstream release
* CVE-2017-10970 XSS vulnerability via link.php fixed (Closes: #867532)
* Add version to jquery-tablesorter
* Make sure that autopkgtests at least run again
Checksums-Sha1:
f964455db7167901dbc2fec29430ac9681afa264 2131 cacti_1.1.12+ds1-1.dsc
f405c3aedec346ae34730c393751258ca2285b5c 77309 cacti_1.1.12+ds1.orig-docs-source.tar.gz
bb2be437a4b82218e96e10f5b6daa2ab949f1331 3790582 cacti_1.1.12+ds1.orig.tar.gz
87f3bf027396511747498f40502ebb0c1691d977 50388 cacti_1.1.12+ds1-1.debian.tar.xz
Checksums-Sha256:
0d2ef617214f1bab3d5f58da96c3099e3fa943ff290a5a7c91ee7317b22f5971 2131 cacti_1.1.12+ds1-1.dsc
83f103e99fe92162830a984daa0a70a5ee7362840e774f157bfdab9cfc8c8a1f 77309 cacti_1.1.12+ds1.orig-docs-source.tar.gz
2dbc69066f3cab6e9fa6eb4d6a5d34b7f62ffe0acef7f517a5be95ede7b2c768 3790582 cacti_1.1.12+ds1.orig.tar.gz
d0c381eac466fab52161e9a05e1193fcc204193fd27fad7510fdd5afab9c7540 50388 cacti_1.1.12+ds1-1.debian.tar.xz
Files:
2924ad3475c19af0a6009a321ccfec31 2131 web extra cacti_1.1.12+ds1-1.dsc
7ea58851062685a07347e8bd4a3e2e04 77309 web extra cacti_1.1.12+ds1.orig-docs-source.tar.gz
fbf199e8c334d8975f3dc8b044ed43a0 3790582 web extra cacti_1.1.12+ds1.orig.tar.gz
8593af7176efee3c2fa1b517ac84c2ac 50388 web extra cacti_1.1.12+ds1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAllf9EkACgkQnFyZ6wW9
dQrCOgf9GOeJMlg7oDNsK0mdsF0ric+NbwterZ2/2+we+m3zbSLhCR9gEp25DY/U
JEbDvc4mBoG6Rna2FMNFasX93a9xWpK/Qy7FXRbIHc9UhdaCzwoCD30WLm4nJD/0
2LCZXhq5Ndb546XjF/vIkk9ccsdv1RszEODHPBlpKpHwPIV/PcT3+V4CBdOWfsuR
brC1MIqVyDNwtsYhZv57ljn6SggWThibhM3pCBIKfpp2/t36GOYp1uzA3yvVCxEk
AkCAJofWcsJXLunkOtOKMv8ms0oKexRcsJItjkVs2z6B6M6vz1pbUpa5UP1Gcbyn
lZefQWwU3XZrn8MPgWeolJeSj0EAlA==
=k3Ax
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 05 Aug 2017 07:26:57 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:06:13 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon