Debian Bug report logs -
#652371
[CVE-2011-4824] SQL injection issue in auth_login.php
Reported by: Florian Weimer <fw@deneb.enyo.de>
Date: Fri, 16 Dec 2011 20:09:02 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in versions cacti/0.8.7g-1, cacti/0.8.7b-2.1+lenny3
Fixed in versions cacti/0.8.7i-1, cacti/0.8.7b-2.1+lenny4, cacti/0.8.7g-1+squeeze1
Done: Mahyuddin Susanto <udienz@ubuntu.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Sean Finney <seanius@debian.org>:
Bug#652371; Package cacti.
(Fri, 16 Dec 2011 20:09:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Florian Weimer <fw@deneb.enyo.de>:
New Bug report received and forwarded. Copy sent to Sean Finney <seanius@debian.org>.
(Fri, 16 Dec 2011 20:09:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: cacti
Version: 0.8.7g-1
Tags: security upstream fixed-upstream
Severity: grave
Several vulnerabilities have been disclosed in cacti:
| SQL injection vulnerability in auth_login.php in Cacti before 0.8.7h
| allows remote attackers to execute arbitrary SQL commands via the
| login_username parameter.
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4824>
The upstream announcement also mentions "Cross-site scripting issues":
<http://www.cacti.net/release_notes_0_8_7h.php>
Would you please fixed packages for lenny and squeeze and send a
source debdiff to the security team?
Information forwarded
to debian-bugs-dist@lists.debian.org, Sean Finney <seanius@debian.org>:
Bug#652371; Package cacti.
(Sat, 17 Dec 2011 17:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Mahyuddin Susanto <saya@udienz.web.id>:
Extra info received and forwarded to list. Copy sent to Sean Finney <seanius@debian.org>.
(Sat, 17 Dec 2011 17:21:05 GMT) (full text, mbox, link).
Message #10 received at 652371@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 652371 patch
thanks
On Sat, Dec 17, 2011 at 3:07 AM, Florian Weimer <fw@deneb.enyo.de> wrote:
> Package: cacti
> Version: 0.8.7g-1
> Tags: security upstream fixed-upstream
> Severity: grave
>
> Several vulnerabilities have been disclosed in cacti:
>
> | SQL injection vulnerability in auth_login.php in Cacti before 0.8.7h
> | allows remote attackers to execute arbitrary SQL commands via the
> | login_username parameter.
>
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4824>
>
> The upstream announcement also mentions "Cross-site scripting issues":
> <http://www.cacti.net/release_notes_0_8_7h.php>
>
> Would you please fixed packages for lenny and squeeze and send a
> source debdiff to the security team?
>
>
>
Attached debdiff to fix CVE-2011-4824 in squeeze, for lenny i still
waiting my friend Paul from pkg-cacti
[cacti_0.8.7g-1squeeze1.dsc.debdiff (application/octet-stream, attachment)]
Added tag(s) patch.
Request was from Mahyuddin Susanto <saya@udienz.web.id>
to control@bugs.debian.org.
(Sat, 17 Dec 2011 17:21:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Sean Finney <seanius@debian.org>:
Bug#652371; Package cacti.
(Sun, 18 Dec 2011 06:21:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Mahyuddin Susanto <udienz@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Sean Finney <seanius@debian.org>.
(Sun, 18 Dec 2011 06:21:08 GMT) (full text, mbox, link).
Message #17 received at 652371@bugs.debian.org (full text, mbox, reply):
tag 652371 pending
thanks
Date: Sun Dec 18 13:18:42 2011 +0700
Author: Mahyuddin Susanto <udienz@ubuntu.com>
Commit ID: f85ba87b2476eb1edc01e4257e689fdf59ab18d4
Commit URL: http://git.debian.org/?p=pkg-cacti/cacti.git;a=commitdiff;h=f85ba87b2476eb1edc01e4257e689fdf59ab18d4
Patch URL: http://git.debian.org/?p=pkg-cacti/cacti.git;a=commitdiff_plain;h=f85ba87b2476eb1edc01e4257e689fdf59ab18d4
[SECURITY] Fixes SQL injection vulnerability in auth_login.php that allows remote attackers to execute arbitrary SQL commands via the login_username parameter. (Closes: #652371)
* [SECURITY] Fixes SQL injection vulnerability in auth_login.php that allows
remote attackers to execute arbitrary SQL commands via the login_username
parameter. (Closes: #652371)
- debian/patches/CVE-2011-4824.patch
- CVE-2011-4824
Added tag(s) pending.
Request was from Mahyuddin Susanto <udienz@ubuntu.com>
to control@bugs.debian.org.
(Sun, 18 Dec 2011 06:21:09 GMT) (full text, mbox, link).
Bug Marked as fixed in versions cacti/0.8.7i-1.
Request was from Mahyuddin Susanto <udienz@ubuntu.com>
to control@bugs.debian.org.
(Fri, 30 Dec 2011 19:51:05 GMT) (full text, mbox, link).
Bug Marked as found in versions cacti/0.8.7b-2.1+lenny3.
Request was from Mahyuddin Susanto <udienz@ubuntu.com>
to control@bugs.debian.org.
(Fri, 30 Dec 2011 19:51:06 GMT) (full text, mbox, link).
Reply sent
to Mahyuddin Susanto <udienz@ubuntu.com>:
You have taken responsibility.
(Mon, 09 Jan 2012 22:25:11 GMT) (full text, mbox, link).
Notification sent
to Florian Weimer <fw@deneb.enyo.de>:
Bug acknowledged by developer.
(Mon, 09 Jan 2012 22:25:11 GMT) (full text, mbox, link).
Message #28 received at 652371-close@bugs.debian.org (full text, mbox, reply):
Source: cacti
Source-Version: 0.8.7b-2.1+lenny4
We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive:
cacti_0.8.7b-2.1+lenny4.diff.gz
to main/c/cacti/cacti_0.8.7b-2.1+lenny4.diff.gz
cacti_0.8.7b-2.1+lenny4.dsc
to main/c/cacti/cacti_0.8.7b-2.1+lenny4.dsc
cacti_0.8.7b-2.1+lenny4_all.deb
to main/c/cacti/cacti_0.8.7b-2.1+lenny4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 652371@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mahyuddin Susanto <udienz@ubuntu.com> (supplier of updated cacti package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 09 Jan 2012 02:30:39 +0700
Source: cacti
Binary: cacti
Architecture: source all
Version: 0.8.7b-2.1+lenny4
Distribution: lenny-security
Urgency: high
Maintainer: Sean Finney <seanius@debian.org>
Changed-By: Mahyuddin Susanto <udienz@ubuntu.com>
Description:
cacti - Frontend to rrdtool for monitoring systems and services
Closes: 624516 652371
Changes:
cacti (0.8.7b-2.1+lenny4) lenny-security; urgency=high
.
[ Paul Gevers ]
* Patch for CVE-2010-1644: XSS issues in host.php and data_sources.php
Closes: #624516
* Patch for CVE-2010-1645: which allows execution of arbitrary commands
by admins
* Patch for CVE-2010-2543: XSS issues in include/top_graph_header.php
* Patch for CVE-2010-2545: XSS issues in multiple files
.
[ Mahyuddin Susanto ]
* [SECURITY] Fixes SQL injection vulnerability in auth_login.php that allows
remote attackers to execute arbitrary SQL commands via the login_username
parameter. (Closes: #652371)
- debian/patches/CVE-2011-4824.patch
- CVE-2011-4824
Checksums-Sha1:
f4f3700ac4e7206036bb05920170db9c35b033b6 1117 cacti_0.8.7b-2.1+lenny4.dsc
55676c01d38c21718a1b9a2b1bd4e9a2f3b185e4 54204 cacti_0.8.7b-2.1+lenny4.diff.gz
88e98c2f4c00f145d9474636d2ed5ca8961b046d 1858138 cacti_0.8.7b-2.1+lenny4_all.deb
Checksums-Sha256:
6378ad9a79be93e5891913a7bd62e260dcd2d72b66b1afd600cf1f2816f8f132 1117 cacti_0.8.7b-2.1+lenny4.dsc
8302a04ae93c31ad1fca5c336703a1645d7badf90a9532561ae58672335c5c7d 54204 cacti_0.8.7b-2.1+lenny4.diff.gz
a8400cbfd20396532788ce962870fc9d7b21a2cf3e9d255de257c1c524aa35c1 1858138 cacti_0.8.7b-2.1+lenny4_all.deb
Files:
ce153cfe059970a8e6d5d397cc40933d 1117 web extra cacti_0.8.7b-2.1+lenny4.dsc
806e5fbc69010e44c1ddc8260eaa1f6a 54204 web extra cacti_0.8.7b-2.1+lenny4.diff.gz
25857fbf4dfeef3f3e976afa0ffd824d 1858138 web extra cacti_0.8.7b-2.1+lenny4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk8KDcQACgkQ5UTeB5t8Mo0V4QCgjwfTqT3d/v6l72wYEIDGzsxI
6rMAoKRgIXSfWIsH5TuUHB5y/cPctvu5
=PZ/k
-----END PGP SIGNATURE-----
Reply sent
to Mahyuddin Susanto <udienz@ubuntu.com>:
You have taken responsibility.
(Mon, 09 Jan 2012 22:25:13 GMT) (full text, mbox, link).
Notification sent
to Florian Weimer <fw@deneb.enyo.de>:
Bug acknowledged by developer.
(Mon, 09 Jan 2012 22:25:13 GMT) (full text, mbox, link).
Message #33 received at 652371-close@bugs.debian.org (full text, mbox, reply):
Source: cacti
Source-Version: 0.8.7g-1+squeeze1
We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive:
cacti_0.8.7g-1+squeeze1.diff.gz
to main/c/cacti/cacti_0.8.7g-1+squeeze1.diff.gz
cacti_0.8.7g-1+squeeze1.dsc
to main/c/cacti/cacti_0.8.7g-1+squeeze1.dsc
cacti_0.8.7g-1+squeeze1_all.deb
to main/c/cacti/cacti_0.8.7g-1+squeeze1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 652371@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mahyuddin Susanto <udienz@ubuntu.com> (supplier of updated cacti package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 29 Dec 2011 16:34:51 +0700
Source: cacti
Binary: cacti
Architecture: source all
Version: 0.8.7g-1+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Sean Finney <seanius@debian.org>
Changed-By: Mahyuddin Susanto <udienz@ubuntu.com>
Description:
cacti - Frontend to rrdtool for monitoring systems and services
Closes: 652371
Changes:
cacti (0.8.7g-1+squeeze1) stable-security; urgency=high
.
* Team upload.
* [SECURITY] Fixes SQL injection vulnerability in auth_login.php that allows
remote attackers to execute arbitrary SQL commands via the login_username
parameter. (Closes: #652371)
- debian/patches/CVE-2011-4824.patch
- CVE-2011-4824
Checksums-Sha1:
a5e867ca33507f949e40e5a422b3105bfe75c075 1149 cacti_0.8.7g-1+squeeze1.dsc
a5a710653e158b1bc950de0a1e2c60ee364bf782 2236916 cacti_0.8.7g.orig.tar.gz
6804b7b351070a6fbbeccaadbbaa981a8197f388 42726 cacti_0.8.7g-1+squeeze1.diff.gz
7fd6ad6808f44dc5c8c13e04a8baa0bfe57d07be 2096486 cacti_0.8.7g-1+squeeze1_all.deb
Checksums-Sha256:
eab7e1db89714acbf4d32806b3ecebeed4aad37056560558b754c14b1d394937 1149 cacti_0.8.7g-1+squeeze1.dsc
d09b3bf54f51bd42b2db0a62521cf6e408716978f75d6509ec56027c49c44585 2236916 cacti_0.8.7g.orig.tar.gz
3daa545b7a7234578a5c09e6ffe5c56a0b84905f1446453076fd183e53292ed5 42726 cacti_0.8.7g-1+squeeze1.diff.gz
2703849d48ea745c242ab74854794a8b3e49b16b40ffa5fcd134feb01897219a 2096486 cacti_0.8.7g-1+squeeze1_all.deb
Files:
b38719889d4a9b7cb78907febc4a41be 1149 web extra cacti_0.8.7g-1+squeeze1.dsc
268421cb1a58d3444f7ecbddb4c4b016 2236916 web extra cacti_0.8.7g.orig.tar.gz
6304c4816a3226f0faee457c89e837c8 42726 web extra cacti_0.8.7g-1+squeeze1.diff.gz
3919d225859f837c5310e864479b740e 2096486 web extra cacti_0.8.7g-1+squeeze1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk8J5QsACgkQ5UTeB5t8Mo2kPwCgg+2DjrYi+hDBr6zOBrfyUtO4
XMcAn2fayreiy9zb7BcoIdGvuaDSOFoG
=xlES
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 10 Feb 2012 07:43:58 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:02:29 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon