Debian Bug report logs -
#561338
CVE-2009-4032: multiple XSS issues
Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>
Date: Wed, 16 Dec 2009 11:33:02 UTC
Severity: grave
Tags: patch, security
Fixed in version 0.8.7e-1.1
Done: Steffen Joeris <steffen.joeris@skolelinux.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Sean Finney <seanius@debian.org>
:
Bug#561338
; Package cacti
.
(Wed, 16 Dec 2009 11:33:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Steffen Joeris <steffen.joeris@skolelinux.de>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Sean Finney <seanius@debian.org>
.
(Wed, 16 Dec 2009 11:33:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: cacti
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for cacti.
CVE-2009-4032[0]:
| Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.7e
| allow remote attackers to inject arbitrary web script or HTML via
| vectors related to (1) graph.php, (2) include/top_graph_header.php,
| (3) lib/html_form.php, and (4) lib/timespan_settings.php, as
| demonstrated by the (a) graph_end or (b) graph_start parameters to
| graph.php; (c) the date1 parameter in a tree action to graph_view.php;
| and the (d) page_refresh and (e) default_dual_pane_width parameters to
| graph_settings.php.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Uploaded NMU patch attached.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4032
http://security-tracker.debian.org/tracker/CVE-2009-4032
[nmu.patch (text/x-diff, attachment)]
Reply sent
to Steffen Joeris <steffen.joeris@skolelinux.de>
:
You have taken responsibility.
(Wed, 16 Dec 2009 11:51:04 GMT) (full text, mbox, link).
Notification sent
to Steffen Joeris <steffen.joeris@skolelinux.de>
:
Bug acknowledged by developer.
(Wed, 16 Dec 2009 11:51:04 GMT) (full text, mbox, link).
Message #10 received at 561338-done@bugs.debian.org (full text, mbox, reply):
Version: 0.8.7e-1.1
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Thu, 21 Jan 2010 07:32:26 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:50:37 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.