Debian Bug report logs -
#941036
cacti: CVE-2019-16723
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
:
Bug#941036
; Package src:cacti
.
(Mon, 23 Sep 2019 20:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
.
(Mon, 23 Sep 2019 20:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: cacti
Version: 1.2.6+ds1-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/Cacti/cacti/issues/2964
Hi,
The following vulnerability was published for cacti, filling for
tracking the upstream issue. At time of writing, I think there was not
a patch upstream yet.
CVE-2019-16723[0]:
| In Cacti through 1.2.6, authenticated users may bypass authorization
| checks (for viewing a graph) via a direct graph_json.php request with
| a modified local_graph_id parameter.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-16723
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16723
[1] https://github.com/Cacti/cacti/issues/2964
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
:
Bug#941036
; Package src:cacti
.
(Mon, 23 Sep 2019 20:33:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Paul Gevers <elbrus@debian.org>
:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
.
(Mon, 23 Sep 2019 20:33:09 GMT) (full text, mbox, link).
Message #10 received at 941036@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Salvatore,
Thanks for your report.
On 23-09-2019 22:20, Salvatore Bonaccorso wrote:
> The following vulnerability was published for cacti, filling for
> tracking the upstream issue. At time of writing, I think there was not
> a patch upstream yet.
I think there is:
https://github.com/Cacti/cacti/commit/7a6a17252a1cbda180b61fff244cb3ce797d5264
It mentioned the wrong issue, as documented here:
https://github.com/Cacti/cacti/commit/de3833b0414383efc9e075dd13c95925e2ca504c
Paul
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
:
Bug#941036
; Package src:cacti
.
(Tue, 24 Sep 2019 04:03:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
.
(Tue, 24 Sep 2019 04:03:07 GMT) (full text, mbox, link).
Message #15 received at 941036@bugs.debian.org (full text, mbox, reply):
Hi Paul,
On Mon, Sep 23, 2019 at 10:28:31PM +0200, Paul Gevers wrote:
> Hi Salvatore,
>
> Thanks for your report.
>
> On 23-09-2019 22:20, Salvatore Bonaccorso wrote:
> > The following vulnerability was published for cacti, filling for
> > tracking the upstream issue. At time of writing, I think there was not
> > a patch upstream yet.
>
> I think there is:
> https://github.com/Cacti/cacti/commit/7a6a17252a1cbda180b61fff244cb3ce797d5264
>
> It mentioned the wrong issue, as documented here:
> https://github.com/Cacti/cacti/commit/de3833b0414383efc9e075dd13c95925e2ca504c
"Ack", thank you!
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Sep 24 16:46:00 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.