Debian Bug report logs -
#833420
cacti: Incomplete fix for CVE-2016-2313
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 4 Aug 2016 06:27:02 UTC
Severity: important
Tags: fixed-upstream, upstream
Found in versions cacti/0.8.8b+dfsg-8+deb8u5, cacti/0.8.8h+ds1-4, cacti/0.8.8a+dfsg-5+deb7u9
Fixed in version cacti/0.8.8h+ds1-5
Done: Paul Gevers <elbrus@debian.org>
Bug is archived. No further changes may be made.
Forwarded to http://bugs.cacti.net/view.php?id=2697
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>:
Bug#833420; Package src:cacti.
(Thu, 04 Aug 2016 06:27:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>.
(Thu, 04 Aug 2016 06:27:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: cacti
Version: 0.8.8h+ds1-4
Severity: important
Tags: security upstream
Forwarded: http://bugs.cacti.net/view.php?id=2697
Hi Paul,
As originally reported to [0,1] the fix for CVE-2016-2313 seems
incomplete. This affects the unstable version and the version which is
waiting in jessie-proposed-updates.
Filling the bug to track the issue.
[0] https://lists.debian.org/debian-lts/2016/07/msg00164.html
[1] http://bugs.cacti.net/view.php?id=2697
Regards,
Salvatore
Marked as found in versions cacti/0.8.8b+dfsg-8+deb8u5.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 04 Aug 2016 06:33:06 GMT) (full text, mbox, link).
Marked as found in versions cacti/0.8.8a+dfsg-5+deb7u9.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 04 Aug 2016 06:33:10 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>:
Bug#833420; Package src:cacti.
(Thu, 04 Aug 2016 08:27:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>.
(Thu, 04 Aug 2016 08:27:11 GMT) (full text, mbox, link).
Message #14 received at 833420@bugs.debian.org (full text, mbox, reply):
Control: tags -1 - security
Remvoving the security tag. If I understand it correctly, the
incomplete fix has not directly security implication, but considered
a regression in functionality (guests cannot login anymore). So guess
this does not need a separate CVE for the incomplete fix applied.
Regards,
Salvatore
Removed tag(s) security.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 833420-submit@bugs.debian.org.
(Thu, 04 Aug 2016 08:27:11 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(Mon, 15 Aug 2016 18:00:21 GMT) (full text, mbox, link).
Reply sent
to Paul Gevers <elbrus@debian.org>:
You have taken responsibility.
(Mon, 05 Sep 2016 22:21:11 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 05 Sep 2016 22:21:11 GMT) (full text, mbox, link).
Message #23 received at 833420-close@bugs.debian.org (full text, mbox, reply):
Source: cacti
Source-Version: 0.8.8h+ds1-5
We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 833420@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Paul Gevers <elbrus@debian.org> (supplier of updated cacti package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 05 Sep 2016 21:10:12 +0200
Source: cacti
Binary: cacti
Architecture: source
Version: 0.8.8h+ds1-5
Distribution: unstable
Urgency: medium
Maintainer: Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
Changed-By: Paul Gevers <elbrus@debian.org>
Description:
cacti - web interface for graphing of monitoring systems
Closes: 833420
Changes:
cacti (0.8.8h+ds1-5) unstable; urgency=medium
.
[ Emilio Pozuelo Monfort ]
* CVE-2016-2313-guest-auth.patch:
+ Fix regression in the fix for CVE-2016-2313 that broke guest user
logins. Thanks to Matus Uhlar for the report. (Closes: #833420)
.
[ Paul Gevers ]
* Recommend default-mysql-server instead of MariaDB and MySQL
Checksums-Sha1:
e6cae9887f873abb0a390c49202a74dd9bc96395 1619 cacti_0.8.8h+ds1-5.dsc
3b54d32435f4d6a5f8140fe8e353a92e3b369963 48900 cacti_0.8.8h+ds1-5.debian.tar.xz
Checksums-Sha256:
f72f99f17441d4aaa1a267a1a8ddd4029de39b9d435abf683aa37692715f46f9 1619 cacti_0.8.8h+ds1-5.dsc
648747bc2c44c43694816a6167bc84c311c7ff0a740564827c32dc9c57d635fa 48900 cacti_0.8.8h+ds1-5.debian.tar.xz
Files:
ca129725fd31ef42725f298b59440d0e 1619 web extra cacti_0.8.8h+ds1-5.dsc
67d8f89eaf671c234da00fc014e1bb19 48900 web extra cacti_0.8.8h+ds1-5.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJXzdFlAAoJEJxcmesFvXUKmAIH+wWkgXMsPl5TyaGAFzonhxBj
Slhz3wk3fWxEJ5XajgibCJ6L61VDpsXdssA+WJkAupni/m6IQMxYOv2ua0SWi+dm
WOCvLWvIw/2IZrZDULg30+U3LgBmB91CNFYZEK9cUrdf41oBhZaWGB+xRw3F6GfI
S1QbHQMzyJxD1k0mwERjn3N/pcnQCGzaA4MZ5uy02Pz//TimIOb9RZVCIznrO/9d
UB9hTIhYnR3TbJWfBq6dmmd1SelWZaSZFxGTGStrQAzDH4dHlfr0j53cXbpRQEEV
tp69QXobmkQBvdH1DcXhTfFo7DXKK2Wq8rGW1sC0DYD0qJkIcq7B8OwvADLijOU=
=yFXP
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 09 Oct 2016 07:26:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:17:25 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon