cacti: CVE-2014-2708 CVE-2014-2709

Debian Bug report logs - #743565
cacti: CVE-2014-2708 CVE-2014-2709

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: cacti: CVE-2014-2708 CVE-2014-2709

Date: Thu, 03 Apr 2014 21:30:56 +0200

Package: cacti
Severity: grave
Tags: security upstream

Dear cacti maintainers

Two more vulnerabilities were published/CVE assigned for cacti.

CVE-2014-2708[0] and CVE-2014-2709[1]. Fore the CVE assignment details
see [2]. For these there is upstream commit [3] (both CVE addressed in
same commit).

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2708
    https://security-tracker.debian.org/tracker/CVE-2014-2708
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2709
    https://security-tracker.debian.org/tracker/CVE-2014-2709
[2] http://seclists.org/oss-sec/2014/q2/15
[3] http://svn.cacti.net/viewvc?view=rev&revision=7439

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 743565@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: security@debian.org, 743565@bugs.debian.org

Subject: Re: Bug#743565: cacti: CVE-2014-2708 CVE-2014-2709

Date: Sat, 05 Apr 2014 09:38:56 +0200

[Message part 1 (text/plain, inline)]

Control: found -1 0.8.7g-1+squeeze3
Control: found 742768 0.8.7g-1+squeeze3

On 04/03/14 21:30, Salvatore Bonaccorso wrote:
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

Hi security team,

Do you consider these vulnerabilities severe enough to require fixing
through security updates, or is the update via (old-)stable-updates good
enough? The last fix CVE-2014-2327 is still being made, but I can (and
am preparing) upload fixes for the other four current CVE issues. Do you
want me to get the current fixes already in, or wait one more week to
get all five fixes into Debian in one go. (For the record, I will upload
the four fixes to sid real soon anyways).

Paul

[signature.asc (application/pgp-signature, attachment)]

Message #17 received at 743565-close@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: 743565-close@bugs.debian.org

Subject: Bug#743565: fixed in cacti 0.8.8b+dfsg-4

Date: Sat, 05 Apr 2014 12:48:28 +0000

Source: cacti
Source-Version: 0.8.8b+dfsg-4

We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 743565@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Paul Gevers <elbrus@debian.org> (supplier of updated cacti package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 05 Apr 2014 13:03:22 +0200
Source: cacti
Binary: cacti
Architecture: source all
Version: 0.8.8b+dfsg-4
Distribution: unstable
Urgency: high
Maintainer: Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
Changed-By: Paul Gevers <elbrus@debian.org>
Description: 
 cacti      - web interface for graphing of monitoring systems
Closes: 743565
Changes: 
 cacti (0.8.8b+dfsg-4) unstable; urgency=high
 .
   * Security update (Closes: 743565)
     - CVE-2014-2326 Cross-site scripting (XSS) vulnerability
     - CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
     - CVE-2014-2708 SQL injection
     - CVE-2014-2709 Unspecified Remote Command Execution Vulnerability
   * Bump standards (no changes needed)
   * Fix VCS-Browser field
   * Fix license paragraph of jstree (Thanks lintian)
Checksums-Sha1: 
 5b1322e3283bd3bbf536a4ee496f84b81e3bc71f 1647 cacti_0.8.8b+dfsg-4.dsc
 bdefb6a140c87202a4cd6eef5911de15caaa4981 96224 cacti_0.8.8b+dfsg-4.debian.tar.xz
 5a01ed5aec578f9e2497edeeda512696ccd40e7d 1886376 cacti_0.8.8b+dfsg-4_all.deb
Checksums-Sha256: 
 bc3fd95653d2e5f69d9beb87d4e617b4750eb5b094bd0b74988c205a01b3803a 1647 cacti_0.8.8b+dfsg-4.dsc
 211560566e2e9649ade19929bf28461781ac090d06765131e4f6008b9651e429 96224 cacti_0.8.8b+dfsg-4.debian.tar.xz
 540aa80708b5ea1ec0498c57b8d259cb4d4ddc0a89ad7c1d46963efbf78edf52 1886376 cacti_0.8.8b+dfsg-4_all.deb
Files: 
 1deaa9d0bfa3c31c14c0de8ada258e46 1647 web extra cacti_0.8.8b+dfsg-4.dsc
 dca44600cfad9c2b77891087e1082948 96224 web extra cacti_0.8.8b+dfsg-4.debian.tar.xz
 d4feaf8a466b735f114e8f578d0344ab 1886376 web extra cacti_0.8.8b+dfsg-4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBCAAGBQJTP/daAAoJEJxcmesFvXUKZKIH/RnL/YfGsxJwm7IF/yDFTJAt
dLrzXIUCRR3jcsXUunGGv9yJFFbaGMdbtQs4C7FWF2JQ3XoHchrY9ayN3FUAT3wn
cXjv/ekWzHftcA9t7vdPNw7pnpyEQ4iVMyWGF8oeSS7Ml3qOYr187WcXY1HoCUBu
Mt5026h+0v0mfzLXCE96wmjXc05+8zhw1J+V+xXpORzKDdHB0EhJhZ5Z33L8Xw3l
4UN5KacE18WBPBpvceMDXZDK8/t9ofx778h4IW+rxWPbVOUqHhy1KkJnyh4MOF3g
tLtreNvKoAEf6IWA18+/ZICSUSiq+SutYOGfKHMG6sY/+xAou/xGm2dpJK3wz5c=
=i7wP
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.