Debian Bug report logs -
#742768
cacti: CVE-2014-2326 CVE-2014-2327 CVE-2014-2328
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Thu, 27 Mar 2014 07:03:01 UTC
Severity: grave
Tags: security
Found in version cacti/0.8.7g-1+squeeze3
Fixed in versions cacti/0.8.8b+dfsg-6, cacti/0.8.8a+dfsg-5+deb7u3, cacti/0.8.7g-1+squeeze4
Done: Paul Gevers <elbrus@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
:
Bug#742768
; Package cacti
.
(Thu, 27 Mar 2014 07:03:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
.
(Thu, 27 Mar 2014 07:03:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: cacti
Severity: grave
Tags: security
Justification: user security hole
Hi,
please see http://www.securityfocus.com/archive/1/531588 for details.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
:
Bug#742768
; Package cacti
.
(Thu, 27 Mar 2014 20:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Paul Gevers <elbrus@debian.org>
:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
.
(Thu, 27 Mar 2014 20:45:04 GMT) (full text, mbox, link).
Message #10 received at 742768@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On 27-03-14 07:47, Moritz Muehlenhoff wrote:
> please see http://www.securityfocus.com/archive/1/531588 for details.
Hi Moritz,
Thanks for the heads up, but that link is rather unclear and talks about
an old version of cacti. How is e.g. CVE-2014-2326 different than (the
already fixed) CVE-2013-5588, CVE-2010-2545, CVE-2010-2544 and
CVE-2010-2543?
And is CVE-2014-2328 not the same as CVE-2009-4112?
I see CVE-2014-2327 as being new though.
Paul
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
:
Bug#742768
; Package cacti
.
(Thu, 27 Mar 2014 20:48:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Paul Gevers <elbrus@debian.org>
:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
.
(Thu, 27 Mar 2014 20:48:08 GMT) (full text, mbox, link).
Message #15 received at 742768@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On 27-03-14 07:47, Moritz Muehlenhoff wrote:
> Package: cacti
> Severity: grave
> Tags: security
> Justification: user security hole
Oh, do you know if this is communicated upstream? I didn't see this on
the cacti list and don't see it in the bug tracker.
Pual
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
:
Bug#742768
; Package cacti
.
(Thu, 27 Mar 2014 22:12:24 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
.
(Thu, 27 Mar 2014 22:12:24 GMT) (full text, mbox, link).
Message #20 received at 742768@bugs.debian.org (full text, mbox, reply):
On Thu, Mar 27, 2014 at 09:46:11PM +0100, Paul Gevers wrote:
> On 27-03-14 07:47, Moritz Muehlenhoff wrote:
> > Package: cacti
> > Severity: grave
> > Tags: security
> > Justification: user security hole
>
> Oh, do you know if this is communicated upstream? I didn't see this on
> the cacti list and don't see it in the bug tracker.
I don't know, I only saw the announcement from Telekom CERT on bugtraq.
Maybe contact them at cert@telekom.de for more information.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
:
Bug#742768
; Package cacti
.
(Fri, 28 Mar 2014 07:54:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Paul Gevers <elbrus@debian.org>
:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
.
(Fri, 28 Mar 2014 07:54:05 GMT) (full text, mbox, link).
Message #25 received at 742768@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
As the maintainer of Cacti in Debian, I received [1] your security
report [2] on Cacti yesterday. I have several questions.
I didn't see any public communication with the upstream maintainers, so
I assume it was done in private. After releasing your CVE numbers,
wouldn't it been nice to report the issues also in the bug tracker of
cacti, so that contributors could maybe help?
I find your report rather vague, for one because it talks about
an old version of cacti (current version is 0.8.8b). How is e.g.
CVE-2014-2326 different than (the already fixed) CVE-2013-5588,
CVE-2010-2545, CVE-2010-2544 and CVE-2010-2543? Could you please explain
if you found new issues? Maybe just explicitly stating the issues you found?
Furthermore, with the current description I hardly see a difference
between CVE-2014-2328 and the (unresolved) CVE-2009-4112?
To me it seems you have a new point with CVE-2014-2327 though.
Paul Gevers.
Debian Cacti maintainer.
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742768
[2] http://www.securityfocus.com/archive/1/531588
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
:
Bug#742768
; Package cacti
.
(Mon, 31 Mar 2014 05:09:12 GMT) (full text, mbox, link).
Acknowledgement sent
to developers@cacti.net
:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
.
(Mon, 31 Mar 2014 05:09:12 GMT) (full text, mbox, link).
Message #30 received at 742768@bugs.debian.org (full text, mbox, reply):
Paul,
I created 3 bugs to fix the issues outlined. I'm still working on
CVE-2014-2327 as it will require a little more work to mitigate in the
Cacti code. As for your questions about past CVE, the currently
reported ones are valid from the reported version to the latest. Once I
have resolved the issue in CVE-2014-2327, I will post patches all the
way back to 0.8.7g to 0.8.8b. A new release is pending release after
testing is complete.
If you are logged into the bug system you should be able to read the
descriptions of the issues that I added as private comments.
CVE-2014-2326 Unspecified HTML Injection Vulnerability
http://bugs.cacti.net/view.php?id=2431
CVE-2014-2327 Cross Site Request Forgery Vulnerability
http://bugs.cacti.net/view.php?id=2432
CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
http://bugs.cacti.net/view.php?id=2433
Tony Roman
Cacti Developer
On 3/28/14, 3:52 AM, Paul Gevers wrote:
> Hi,
>
> As the maintainer of Cacti in Debian, I received [1] your security
> report [2] on Cacti yesterday. I have several questions.
>
> I didn't see any public communication with the upstream maintainers, so
> I assume it was done in private. After releasing your CVE numbers,
> wouldn't it been nice to report the issues also in the bug tracker of
> cacti, so that contributors could maybe help?
>
> I find your report rather vague, for one because it talks about
> an old version of cacti (current version is 0.8.8b). How is e.g.
> CVE-2014-2326 different than (the already fixed) CVE-2013-5588,
> CVE-2010-2545, CVE-2010-2544 and CVE-2010-2543? Could you please explain
> if you found new issues? Maybe just explicitly stating the issues you found?
>
> Furthermore, with the current description I hardly see a difference
> between CVE-2014-2328 and the (unresolved) CVE-2009-4112?
>
> To me it seems you have a new point with CVE-2014-2327 though.
>
> Paul Gevers.
> Debian Cacti maintainer.
>
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742768
> [2] http://www.securityfocus.com/archive/1/531588
>
Information forwarded
to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
:
Bug#742768
; Package cacti
.
(Mon, 31 Mar 2014 05:09:15 GMT) (full text, mbox, link).
Acknowledgement sent
to developers@cacti.net
:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
.
(Mon, 31 Mar 2014 05:09:15 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
:
Bug#742768
; Package cacti
.
(Mon, 31 Mar 2014 05:09:19 GMT) (full text, mbox, link).
Acknowledgement sent
to developers@cacti.net
:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
.
(Mon, 31 Mar 2014 05:09:19 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
:
Bug#742768
; Package cacti
.
(Mon, 31 Mar 2014 05:09:22 GMT) (full text, mbox, link).
Acknowledgement sent
to developers@cacti.net
:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
.
(Mon, 31 Mar 2014 05:09:22 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
:
Bug#742768
; Package cacti
.
(Mon, 31 Mar 2014 05:09:25 GMT) (full text, mbox, link).
Acknowledgement sent
to developers@cacti.net
:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
.
(Mon, 31 Mar 2014 05:09:25 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
:
Bug#742768
; Package cacti
.
(Mon, 31 Mar 2014 05:09:28 GMT) (full text, mbox, link).
Acknowledgement sent
to developers@cacti.net
:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
.
(Mon, 31 Mar 2014 05:09:29 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
:
Bug#742768
; Package cacti
.
(Mon, 31 Mar 2014 05:09:32 GMT) (full text, mbox, link).
Acknowledgement sent
to Tony Roman <troman@cacti.net>
:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
.
(Mon, 31 Mar 2014 05:09:32 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
:
Bug#742768
; Package cacti
.
(Mon, 31 Mar 2014 05:09:35 GMT) (full text, mbox, link).
Acknowledgement sent
to developers@cacti.net
:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
.
(Mon, 31 Mar 2014 05:09:35 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
:
Bug#742768
; Package cacti
.
(Mon, 31 Mar 2014 05:09:39 GMT) (full text, mbox, link).
Acknowledgement sent
to developers@cacti.net
:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
.
(Mon, 31 Mar 2014 05:09:39 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
:
Bug#742768
; Package cacti
.
(Fri, 04 Apr 2014 07:00:05 GMT) (full text, mbox, link).
Acknowledgement sent
to developers@cacti.net
:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
.
(Fri, 04 Apr 2014 07:00:05 GMT) (full text, mbox, link).
Message #75 received at 742768@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Tony,
Just for your heads up. I was hoping to also se a fix for CVE-2014-2327
already, but I fully understand why that takes longer. Do you have any
idea how long it will take? Days, weeks, months? If the scale is bigger
than some small number of weeks, I will patch cacti in Debian already
with the fixes available.
You do know that Cacti got assigned two other CVE's for a fix you made
recently? CVE-2014-2708 and CVE-2014-2709:
http://seclists.org/oss-sec/2014/q2/15
Paul
On 03/31/14 06:46, Tony Roman wrote:
> Paul,
>
> I created 3 bugs to fix the issues outlined. I'm still working on
> CVE-2014-2327 as it will require a little more work to mitigate in the
> Cacti code. As for your questions about past CVE, the currently
> reported ones are valid from the reported version to the latest. Once I
> have resolved the issue in CVE-2014-2327, I will post patches all the
> way back to 0.8.7g to 0.8.8b. A new release is pending release after
> testing is complete.
>
> If you are logged into the bug system you should be able to read the
> descriptions of the issues that I added as private comments.
>
> CVE-2014-2326 Unspecified HTML Injection Vulnerability
> http://bugs.cacti.net/view.php?id=2431
>
> CVE-2014-2327 Cross Site Request Forgery Vulnerability
> http://bugs.cacti.net/view.php?id=2432
>
> CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
> http://bugs.cacti.net/view.php?id=2433
>
> Tony Roman
> Cacti Developer
>
> On 3/28/14, 3:52 AM, Paul Gevers wrote:
>> Hi,
>>
>> As the maintainer of Cacti in Debian, I received [1] your security
>> report [2] on Cacti yesterday. I have several questions.
>>
>> I didn't see any public communication with the upstream maintainers, so
>> I assume it was done in private. After releasing your CVE numbers,
>> wouldn't it been nice to report the issues also in the bug tracker of
>> cacti, so that contributors could maybe help?
>>
>> I find your report rather vague, for one because it talks about
>> an old version of cacti (current version is 0.8.8b). How is e.g.
>> CVE-2014-2326 different than (the already fixed) CVE-2013-5588,
>> CVE-2010-2545, CVE-2010-2544 and CVE-2010-2543? Could you please explain
>> if you found new issues? Maybe just explicitly stating the issues you found?
>>
>> Furthermore, with the current description I hardly see a difference
>> between CVE-2014-2328 and the (unresolved) CVE-2009-4112?
>>
>> To me it seems you have a new point with CVE-2014-2327 though.
>>
>> Paul Gevers.
>> Debian Cacti maintainer.
>>
>> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742768
>> [2] http://www.securityfocus.com/archive/1/531588
>>
>
>
>
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
:
Bug#742768
; Package cacti
.
(Fri, 04 Apr 2014 07:00:08 GMT) (full text, mbox, link).
Acknowledgement sent
to developers@cacti.net
:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
.
(Fri, 04 Apr 2014 07:00:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
:
Bug#742768
; Package cacti
.
(Fri, 04 Apr 2014 07:00:11 GMT) (full text, mbox, link).
Acknowledgement sent
to developers@cacti.net
:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
.
(Fri, 04 Apr 2014 07:00:11 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
:
Bug#742768
; Package cacti
.
(Fri, 04 Apr 2014 07:00:14 GMT) (full text, mbox, link).
Acknowledgement sent
to developers@cacti.net
:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
.
(Fri, 04 Apr 2014 07:00:14 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
:
Bug#742768
; Package cacti
.
(Fri, 04 Apr 2014 07:00:17 GMT) (full text, mbox, link).
Acknowledgement sent
to developers@cacti.net
:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
.
(Fri, 04 Apr 2014 07:00:17 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
:
Bug#742768
; Package cacti
.
(Fri, 04 Apr 2014 07:00:21 GMT) (full text, mbox, link).
Acknowledgement sent
to developers@cacti.net
:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
.
(Fri, 04 Apr 2014 07:00:21 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
:
Bug#742768
; Package cacti
.
(Fri, 04 Apr 2014 07:00:24 GMT) (full text, mbox, link).
Acknowledgement sent
to developers@cacti.net
:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
.
(Fri, 04 Apr 2014 07:00:24 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
:
Bug#742768
; Package cacti
.
(Fri, 04 Apr 2014 07:00:27 GMT) (full text, mbox, link).
Acknowledgement sent
to developers@cacti.net
:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
.
(Fri, 04 Apr 2014 07:00:27 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
:
Bug#742768
; Package cacti
.
(Fri, 04 Apr 2014 07:00:31 GMT) (full text, mbox, link).
Acknowledgement sent
to Paul Gevers <elbrus@debian.org>
:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
.
(Fri, 04 Apr 2014 07:00:31 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
:
Bug#742768
; Package cacti
.
(Sat, 05 Apr 2014 02:09:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Tony Roman <troman@cacti.net>
:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
.
(Sat, 05 Apr 2014 02:09:10 GMT) (full text, mbox, link).
Message #120 received at 742768@bugs.debian.org (full text, mbox, reply):
Paul,
CVE-2014-2708 and CVE-2014-2709 are address in
http://bugs.cacti.net/view.php?id=2405
Security patch for the following has been posted on the Cacti site for
versions 0.8.7g to 0.8.8b:
- CVE-2014-2326 Unspecified HTML Injection Vulnerability
- CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
- CVE-2014-2708 Unspecified SQL Injection Vulnerability
- CVE-2014-2709 Unspecified Remote Command Execution Vulnerability
As for CVE-2014-2327 Cross Site Request Forgery Vulnerability, I'm still
working on a solution. I have some limited time this weekend to work on
this fix. But I will be on the west coast for business this next week
and will have time at night to work on this fix. I plan on pushing
0.8.8c release to address this and other minor fixes in Cacti the
weekend of April 12th.
Tony
On 4/4/14, 2:56 AM, Paul Gevers wrote:
> Hi Tony,
>
> Just for your heads up. I was hoping to also se a fix for CVE-2014-2327
> already, but I fully understand why that takes longer. Do you have any
> idea how long it will take? Days, weeks, months? If the scale is bigger
> than some small number of weeks, I will patch cacti in Debian already
> with the fixes available.
>
> You do know that Cacti got assigned two other CVE's for a fix you made
> recently? CVE-2014-2708 and CVE-2014-2709:
> http://seclists.org/oss-sec/2014/q2/15
>
> Paul
>
>
> On 03/31/14 06:46, Tony Roman wrote:
>> Paul,
>>
>> I created 3 bugs to fix the issues outlined. I'm still working on
>> CVE-2014-2327 as it will require a little more work to mitigate in the
>> Cacti code. As for your questions about past CVE, the currently
>> reported ones are valid from the reported version to the latest. Once I
>> have resolved the issue in CVE-2014-2327, I will post patches all the
>> way back to 0.8.7g to 0.8.8b. A new release is pending release after
>> testing is complete.
>>
>> If you are logged into the bug system you should be able to read the
>> descriptions of the issues that I added as private comments.
>>
>> CVE-2014-2326 Unspecified HTML Injection Vulnerability
>> http://bugs.cacti.net/view.php?id=2431
>>
>> CVE-2014-2327 Cross Site Request Forgery Vulnerability
>> http://bugs.cacti.net/view.php?id=2432
>>
>> CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
>> http://bugs.cacti.net/view.php?id=2433
>>
>> Tony Roman
>> Cacti Developer
>>
>> On 3/28/14, 3:52 AM, Paul Gevers wrote:
>>> Hi,
>>>
>>> As the maintainer of Cacti in Debian, I received [1] your security
>>> report [2] on Cacti yesterday. I have several questions.
>>>
>>> I didn't see any public communication with the upstream maintainers, so
>>> I assume it was done in private. After releasing your CVE numbers,
>>> wouldn't it been nice to report the issues also in the bug tracker of
>>> cacti, so that contributors could maybe help?
>>>
>>> I find your report rather vague, for one because it talks about
>>> an old version of cacti (current version is 0.8.8b). How is e.g.
>>> CVE-2014-2326 different than (the already fixed) CVE-2013-5588,
>>> CVE-2010-2545, CVE-2010-2544 and CVE-2010-2543? Could you please explain
>>> if you found new issues? Maybe just explicitly stating the issues you found?
>>>
>>> Furthermore, with the current description I hardly see a difference
>>> between CVE-2014-2328 and the (unresolved) CVE-2009-4112?
>>>
>>> To me it seems you have a new point with CVE-2014-2327 though.
>>>
>>> Paul Gevers.
>>> Debian Cacti maintainer.
>>>
>>> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742768
>>> [2] http://www.securityfocus.com/archive/1/531588
>>>
>>
>>
>>
>
Marked as found in versions cacti/0.8.7g-1+squeeze3.
Request was from Paul Gevers <elbrus@debian.org>
to 743565-submit@bugs.debian.org
.
(Sat, 05 Apr 2014 07:42:06 GMT) (full text, mbox, link).
Reply sent
to Paul Gevers <elbrus@debian.org>
:
You have taken responsibility.
(Wed, 25 Jun 2014 21:36:10 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Bug acknowledged by developer.
(Wed, 25 Jun 2014 21:36:10 GMT) (full text, mbox, link).
Message #127 received at 742768-close@bugs.debian.org (full text, mbox, reply):
Source: cacti
Source-Version: 0.8.8b+dfsg-6
We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 742768@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Paul Gevers <elbrus@debian.org> (supplier of updated cacti package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 25 Jun 2014 22:33:53 +0200
Source: cacti
Binary: cacti
Architecture: source all
Version: 0.8.8b+dfsg-6
Distribution: unstable
Urgency: high
Maintainer: Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
Changed-By: Paul Gevers <elbrus@debian.org>
Description:
cacti - web interface for graphing of monitoring systems
Closes: 742768 744067 752573
Changes:
cacti (0.8.8b+dfsg-6) unstable; urgency=high
.
* Add alternative php5-mysql | php5-mysqlnd (Closes: #744067)
* Security update (Closes: #742768, #752573)
- CVE-2014-2327 Cross Site Request Forgery Vulnerability
- CVE-2014-4002 Cross-Site Scripting Vulnerability
Checksums-Sha1:
cb0087d5f3770dea819440882c268c754ae0f0e3 1655 cacti_0.8.8b+dfsg-6.dsc
5a34a582d9c8677518a33234a4ad1ac8024ee61a 103284 cacti_0.8.8b+dfsg-6.debian.tar.xz
7b62b650d11502daed7091fbd7985634bfd59f54 1892594 cacti_0.8.8b+dfsg-6_all.deb
Checksums-Sha256:
f72c1022c8497784322e9bb3db94bff0f72ddbe2f38acfbc9f894236741a86d4 1655 cacti_0.8.8b+dfsg-6.dsc
18433ea70e341eff55c005ff1796018f546fa53ed1159e2cd69ec1c9a96168ec 103284 cacti_0.8.8b+dfsg-6.debian.tar.xz
ab5ab0a70f308814acb5f2fdb3b32e398e47567e005065d9fd3d60748470a7aa 1892594 cacti_0.8.8b+dfsg-6_all.deb
Files:
0aa31425f144e81ad972e6ec0aff7d9f 1892594 web extra cacti_0.8.8b+dfsg-6_all.deb
6de034dfcb0d7ecf5e6978bf61d9b45c 1655 web extra cacti_0.8.8b+dfsg-6.dsc
c06386ec36c90e07234da262dc2136e4 103284 web extra cacti_0.8.8b+dfsg-6.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBCAAGBQJTqzRsAAoJEJxcmesFvXUKseAIAKKzrFxl91WYCof/mF8pxeD9
OjOumQOUH/BSNDfsgou3Vk/hVsiMOZroSaEuTYDznfJPa1ajkFENHL5AySAD44xK
sdlHBlpDkp/KexgKBBV+2zxdokjk7BZrfVtJowEkfbVhTOErK+KnUhXmj3sK4tvi
sCQQQS4QNL8iRHVnMKuOQge3YKLiM9uWyA/fjS3LRqNCdNasvknWk2r+9xLBx4uK
wdmeYubm3oCjc+zWmq9RrhYIYTw0RKyXzk3EqPJHcsGeqsnIk6uYtYch014SRune
3XJWYF3Zj6cShJtFkwyEz/GxesSBs7E5ec/BduJKPzJqb8q24MzYsOtD7jH1AR0=
=2G1F
-----END PGP SIGNATURE-----
Reply sent
to Paul Gevers <elbrus@debian.org>
:
You have taken responsibility.
(Fri, 04 Jul 2014 07:54:24 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Bug acknowledged by developer.
(Fri, 04 Jul 2014 07:54:24 GMT) (full text, mbox, link).
Message #132 received at 742768-close@bugs.debian.org (full text, mbox, reply):
Source: cacti
Source-Version: 0.8.8a+dfsg-5+deb7u3
We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 742768@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Paul Gevers <elbrus@debian.org> (supplier of updated cacti package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 26 Jun 2014 21:01:50 +0200
Source: cacti
Binary: cacti
Architecture: source all
Version: 0.8.8a+dfsg-5+deb7u3
Distribution: wheezy-security
Urgency: high
Maintainer: Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
Changed-By: Paul Gevers <elbrus@debian.org>
Description:
cacti - web interface for graphing of monitoring systems
Closes: 742768 743565 752573
Changes:
cacti (0.8.8a+dfsg-5+deb7u3) wheezy-security; urgency=high
.
* Security upload (Closes: #742768, #743565, #752573)
- CVE-2014-2326 Cross-site scripting (XSS) vulnerability
- CVE-2014-2327 Cross Site Request Forgery Vulnerability
- CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
- CVE-2014-2708 SQL injection
- CVE-2014-2709 Unspecified Remote Command Execution Vulnerability
- CVE-2014-4002 Cross-Site Scripting Vulnerability
Checksums-Sha1:
9acdcd6e9e6b16603e2ee400197df3282a1e6b83 1683 cacti_0.8.8a+dfsg-5+deb7u3.dsc
1d3cc0a0c7ce926893644967ee151c4c4bc65466 121095 cacti_0.8.8a+dfsg-5+deb7u3.debian.tar.gz
49ce8a79add38a77e69a23f885df62888c8dcb3e 2147332 cacti_0.8.8a+dfsg-5+deb7u3_all.deb
Checksums-Sha256:
329bd24accebeab86ac701788a092b090454d80ec69c9c05d8ba0e2a13a7cb93 1683 cacti_0.8.8a+dfsg-5+deb7u3.dsc
c105e1fd8d185a26308343a0c2575fb350aa7555bf61da488a63ff40a3b183d5 121095 cacti_0.8.8a+dfsg-5+deb7u3.debian.tar.gz
8c9606571c58b135d3320ebf1222f924badd5172915dd69966c373467ab573e2 2147332 cacti_0.8.8a+dfsg-5+deb7u3_all.deb
Files:
724367875a4e43438b532c33cb59d853 1683 web extra cacti_0.8.8a+dfsg-5+deb7u3.dsc
8237f1100ca61743de8e0e4b2e5f2fab 121095 web extra cacti_0.8.8a+dfsg-5+deb7u3.debian.tar.gz
80c20926bb4e0502b0aae27d767631e0 2147332 web extra cacti_0.8.8a+dfsg-5+deb7u3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBCAAGBQJTrV5RAAoJEJxcmesFvXUKMGgH/jYf08AmZzl0hsK7UIengiAi
iN1twNHRlyPfL1/YkirbQFHpPHeas49VbEN5geqMbSLHRRyfJ/ftz7w33Oxt20ON
GSWHNSAcT9GXjhe8LuAZlxRFnf7No70K0hRJ91yEeHrA/lbtpgInIcwot9yyKZDk
xmxNf+uPk0ultoTC6JxoSVaDwyj/GxCH9Dzy86sq3DSByhEk+4NYAs6WsXfFIMuj
aQqf1rUwIlHWA3+Hfr0qfRozEKKJFcoZaqZkFjbBQ9ueDUV03qmWeog1n7ujkCkf
D7Kerx+u7XPcuOgFKCs1DPHIWkAjHLA+Y03yJTPtE/5p2G6ENI85UCoTlLXu5KU=
=TD4G
-----END PGP SIGNATURE-----
Reply sent
to Paul Gevers <elbrus@debian.org>
:
You have taken responsibility.
(Sat, 05 Jul 2014 17:21:05 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Bug acknowledged by developer.
(Sat, 05 Jul 2014 17:21:05 GMT) (full text, mbox, link).
Message #137 received at 742768-close@bugs.debian.org (full text, mbox, reply):
Source: cacti
Source-Version: 0.8.7g-1+squeeze4
We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 742768@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Paul Gevers <elbrus@debian.org> (supplier of updated cacti package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 05 Jul 2014 11:27:40 +0200
Source: cacti
Binary: cacti
Architecture: source all
Version: 0.8.7g-1+squeeze4
Distribution: squeeze-lts
Urgency: high
Maintainer: Sean Finney <seanius@debian.org>
Changed-By: Paul Gevers <elbrus@debian.org>
Description:
cacti - Frontend to rrdtool for monitoring systems and services
Closes: 742768 743565 752573
Changes:
cacti (0.8.7g-1+squeeze4) squeeze-lts; urgency=high
.
* Security upload (Closes: #742768, #743565, #752573)
- CVE-2014-2326 Cross-site scripting (XSS) vulnerability
- CVE-2014-2327 Cross Site Request Forgery Vulnerability
- CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
- CVE-2014-2708 SQL injection
- CVE-2014-2709 Unspecified Remote Command Execution Vulnerability
- CVE-2014-4002 Cross-Site Scripting Vulnerability
Checksums-Sha1:
0b1a8db6de23388eb333e3f31910e72f35ab512b 1443 cacti_0.8.7g-1+squeeze4.dsc
b88051b333e29b215dacfe07bd1cf684da866c53 59041 cacti_0.8.7g-1+squeeze4.diff.gz
71c19bf1d1ff3d4cbf5d1ef717dbdeaf314bd89b 2098348 cacti_0.8.7g-1+squeeze4_all.deb
Checksums-Sha256:
50961c0bcf6766c9f7493f785f7202fe73bfbfb04b576e5388875f56f846358e 1443 cacti_0.8.7g-1+squeeze4.dsc
1498c3a5ef269942c908a0d9bb24a10a29ebd126c7226c223f52e2171f7c7fb0 59041 cacti_0.8.7g-1+squeeze4.diff.gz
73cea4db7448c4ae2d311937c4f76f9fe2452f4933c7df6b1b6088ecb604b66e 2098348 cacti_0.8.7g-1+squeeze4_all.deb
Files:
5ef9a7d3c7e9753456a923c040276aa8 1443 web extra cacti_0.8.7g-1+squeeze4.dsc
ba7a61ce0ae89d4d19525001d0f98b56 59041 web extra cacti_0.8.7g-1+squeeze4.diff.gz
64be98d1231c4f5ac4a8039a8876cc2a 2098348 web extra cacti_0.8.7g-1+squeeze4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBCAAGBQJTuC2fAAoJEJxcmesFvXUKy4YH/1ETU150OPL6OeHY2EqCbz+4
wMk3kK0hNJv3JpmKlZ2dGdFggSigQTY33CtrR177skN3fjYauoIF+8UVL3BsU7Hg
/9+yMeJWQSGWL0k0NfKSOYGelbswY8yY/rTdBw5INXqaGn7xHaTb6iJ+1IIDKuGu
yxXAMtUpoQn4lJjvkBADPzVl8xE/lyLcNrQFn5owprC28MNGgz1IAGVklhVEj3OB
OFWnYRGCNihhDSW8z1JfLnf+FtUZ2utVsGG2b7JJCGuoAAnOkHQOdfmaq6l5Wq+G
VxA2Aa6S0ABnsJv0aNBMXKRcrutOPU7ElCzdOjNOcDYMyondy5GxwpRzM24XZT0=
=gTIS
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 03 Aug 2014 07:30:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:07:40 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.