cacti: CVE-2019-11025 - XSS in utilities.php

Debian Bug report logs - #926700
cacti: CVE-2019-11025 - XSS in utilities.php

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: cacti: CVE-2019-11025

Date: Tue, 09 Apr 2019 12:28:58 +0200

Source: cacti
Version: 1.2.2+ds1-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/Cacti/cacti/issues/2581

Hi,

The following vulnerability was published for cacti.

CVE-2019-11025[0]:
| In clearFilter() in utilities.php in Cacti before 1.2.3, no escaping
| occurs before printing out the value of the SNMP community string
| (SNMP Options) in the View poller cache, leading to XSS.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-11025
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11025
[1] https://github.com/Cacti/cacti/issues/2581

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 926700@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 926700@bugs.debian.org

Subject: Re: Bug#926700: cacti: CVE-2019-11025

Date: Tue, 9 Apr 2019 20:26:31 +0200

[Message part 1 (text/plain, inline)]

Control: found -1 0.8.8h+ds1-10 0.8.8b+dfsg-8+deb8u6

Hi Salvatore,

On 09-04-2019 12:28, Salvatore Bonaccorso wrote:
> Please adjust the affected versions in the BTS as needed.

Doing so now. Thanks for the report.

Paul

[signature.asc (application/pgp-signature, attachment)]

Message #19 received at 926700@bugs.debian.org (full text, mbox, reply):

From: "Chris Lamb" <lamby@debian.org>

To: 926700@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: cacti: CVE-2019-11025:

Date: Wed, 10 Apr 2019 10:51:33 -0400

[Message part 1 (text/plain, inline)]

retitle 926700 cacti: CVE-2019-11025 - XSS in utilities.php
thanks

Hi all,

I've attached a patch that I intend to upload to jessie LTS. May I
also prepare an update for stretch based on this?


Best wishes,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk
       `-

[CVE-2019-11025.patch (text/x-patch, attachment)]

Message #26 received at 926700@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: Chris Lamb <lamby@debian.org>, 926700@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#926700: cacti: CVE-2019-11025:

Date: Wed, 10 Apr 2019 20:41:23 +0200

[Message part 1 (text/plain, inline)]

Hi Chris,

On 10-04-2019 16:51, Chris Lamb wrote:
> I've attached a patch that I intend to upload to jessie LTS. May I
> also prepare an update for stretch based on this?

I guess it doesn't matter for stable, but you have my blessing.

Paul

PS: I uploaded to sid yesterday, but I fear my key on the Debian keyring
was still marked as expired and the package was dropped.

[signature.asc (application/pgp-signature, attachment)]

Message #31 received at 926700-close@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: 926700-close@bugs.debian.org

Subject: Bug#926700: fixed in cacti 1.2.2+ds1-2

Date: Thu, 11 Apr 2019 12:03:41 +0000

Source: cacti
Source-Version: 1.2.2+ds1-2

We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 926700@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Paul Gevers <elbrus@debian.org> (supplier of updated cacti package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 09 Apr 2019 20:42:38 +0200
Source: cacti
Architecture: source
Version: 1.2.2+ds1-2
Distribution: unstable
Urgency: medium
Maintainer: Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
Changed-By: Paul Gevers <elbrus@debian.org>
Closes: 926700
Changes:
 cacti (1.2.2+ds1-2) unstable; urgency=medium
 .
   * Add 0001-Resolving-Issue-2581.patch from upstream (Closes: #926700)
     CVE-2019-11025: In clearFilter() in utilities.php no escaping occurs
     before printing out the value of the SNMP community string (SNMP
     Options) in the View poller cache, leading to XSS.
Checksums-Sha1:
 30c70832c01af1d76c00868eeedbb02ebdcb4eb1 2451 cacti_1.2.2+ds1-2.dsc
 a93f3f3c6739f420a8beda701b43d7e89e07e476 53228 cacti_1.2.2+ds1-2.debian.tar.xz
Checksums-Sha256:
 cae011f5bdad9a85e93b430fd198563ab8d98880f9baf9c86f6d53513739f5d5 2451 cacti_1.2.2+ds1-2.dsc
 2f59bed7085bc5f9b0430bedb407ee15ea7efd123973d372358eb6728fd5f3e7 53228 cacti_1.2.2+ds1-2.debian.tar.xz
Files:
 9b8b58f46f6e379940cf2e4117af223f 2451 web optional cacti_1.2.2+ds1-2.dsc
 bb8df17986ac931fa8b231bf43f03d09 53228 web optional cacti_1.2.2+ds1-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEJeP/LX9Gnb59DU5Qr8/sjmac4cIFAlyvJ8IACgkQr8/sjmac
4cIzdg//UJMlYSVwAVAlgTXyy2blhLltJ/hThm98MEmm28zbDciZHckaXbbcZ/qt
jyAhl1JAQUJ52Xlf/iYjEv93qpkhNT65wQlkr6DmPsRIYaf3ax9Fp4B1SFU08vnq
9AITjUrVsN0hnk+ngUkW+2K4tUcij3U6u/HJph4BE23avJFxKEEbWO/fXZoGXr10
G5r559xzeHvJHz3BN2Kq+bR2eSS17QgKDQWtAJaToYln140kAWj8LNGz2TxXP/xJ
csbuEtce46OojTf8ribLQ0clBUJmwTN/JLEq5JVAsQ5gKsFyguGjmhr0GoNJ7XT5
7NSCmPeb/nUUDU4+ettx40wAW1bFMofEU4p8VNYb54gFyksTQ3K8zVex2eSam1en
f+GAevVYJlqFB0ANQurpoByxA2mLnzu7Am6kR6XFgYfbFoJ4OtPwdgU6FvJB3eQy
pwFGnAWQ0LttLY9xyQoTtqPCGIvbSXR81N2vlbsfOG/e8N4Lzih40VIOazQYHVFh
u9ITv5/vBrfZuOcoiMIE9SNeDbPFP+JBLovLvec+Qwi5CxC6WToO4Gqby6gxCkh7
YEBBfjkJ8qaH3X9GQiTIztQfuC8vJMlKKHDf/YYF2EyDDdzknJb3e5a0DAVPBRw+
Ls7Fkk1rKCw2fV6V5e2fRSfLwW2OM7oi7YZSsCz4fpYsaoQ3sNU=
=CflS
-----END PGP SIGNATURE-----

Message #36 received at 926700@bugs.debian.org (full text, mbox, reply):

From: "Chris Lamb" <lamby@debian.org>

To: 926700@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: cacti: CVE-2019-11025:

Date: Mon, 15 Apr 2019 11:23:36 -0400

Chris Lamb wrote:

> I've attached a patch that I intend to upload to jessie LTS. May I
> also prepare an update for stretch based on this?

Ping on this, security team?

Paul, looks like your upload landed in the end:

  https://bugs.debian.org/926700#31


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk
       `-

Message #41 received at 926700@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Chris Lamb <lamby@debian.org>

Cc: 926700@bugs.debian.org, team@security.debian.org

Subject: Re: cacti: CVE-2019-11025:

Date: Mon, 15 Apr 2019 22:59:19 +0200

On Wed, Apr 10, 2019 at 10:51:33AM -0400, Chris Lamb wrote:
> retitle 926700 cacti: CVE-2019-11025 - XSS in utilities.php
> thanks
> 
> Hi all,
> 
> I've attached a patch that I intend to upload to jessie LTS. May I
> also prepare an update for stretch based on this?

I doubt this really warrants a DSA, but could be fixed in the
forthcoming stable update (or we postpone it for the next more
severe Cacti issue)

Cheers,
        Moritz

Send a report that this bug log contains spam.