cacti: CVE-2014-2326 CVE-2014-2327 CVE-2014-2328

Debian Bug report logs - #742768
cacti: CVE-2014-2326 CVE-2014-2327 CVE-2014-2328

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: cacti: CVE-2014-2326 CVE-2014-2327 CVE-2014-2328

Date: Thu, 27 Mar 2014 07:47:10 +0100

Package: cacti
Severity: grave
Tags: security
Justification: user security hole

Hi,
please see http://www.securityfocus.com/archive/1/531588 for details.

Cheers,
        Moritz

Message #10 received at 742768@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>, 742768@bugs.debian.org

Subject: Re: Bug#742768: cacti: CVE-2014-2326 CVE-2014-2327 CVE-2014-2328

Date: Thu, 27 Mar 2014 21:43:51 +0100

[Message part 1 (text/plain, inline)]

On 27-03-14 07:47, Moritz Muehlenhoff wrote:
> please see http://www.securityfocus.com/archive/1/531588 for details.

Hi Moritz,

Thanks for the heads up, but that link is rather unclear and talks about
an old version of cacti. How is e.g. CVE-2014-2326 different than (the
already fixed) CVE-2013-5588, CVE-2010-2545, CVE-2010-2544 and
CVE-2010-2543?

And is CVE-2014-2328 not the same as CVE-2009-4112?

I see CVE-2014-2327 as being new though.

Paul

[signature.asc (application/pgp-signature, attachment)]

Message #15 received at 742768@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>, 742768@bugs.debian.org

Subject: Re: Bug#742768: cacti: CVE-2014-2326 CVE-2014-2327 CVE-2014-2328

Date: Thu, 27 Mar 2014 21:46:11 +0100

[Message part 1 (text/plain, inline)]

On 27-03-14 07:47, Moritz Muehlenhoff wrote:
> Package: cacti
> Severity: grave
> Tags: security
> Justification: user security hole

Oh, do you know if this is communicated upstream? I didn't see this on
the cacti list and don't see it in the bug tracker.

Pual

[signature.asc (application/pgp-signature, attachment)]

Message #20 received at 742768@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Paul Gevers <elbrus@debian.org>

Cc: 742768@bugs.debian.org

Subject: Re: Bug#742768: cacti: CVE-2014-2326 CVE-2014-2327 CVE-2014-2328

Date: Thu, 27 Mar 2014 23:00:37 +0100

On Thu, Mar 27, 2014 at 09:46:11PM +0100, Paul Gevers wrote:
> On 27-03-14 07:47, Moritz Muehlenhoff wrote:
> > Package: cacti
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> 
> Oh, do you know if this is communicated upstream? I didn't see this on
> the cacti list and don't see it in the bug tracker.

I don't know, I only saw the announcement from Telekom CERT on bugtraq.
Maybe contact them at cert@telekom.de for more information.

Cheers,
        Moritz

Message #25 received at 742768@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: cert@telekom.de

Cc: Gandalf <gandalf@cacti.net>, browniebraun@cacti.net, cigamit@cacti.net, Linegod@cacti.net, rony@cacti.net, TheWitness@cacti.net, Tony Roman <troman@cacti.net>, 742768@bugs.debian.org

Subject: Regarding your cacti security report CVE-2014-2326 - 2328

Date: Fri, 28 Mar 2014 08:52:28 +0100

[Message part 1 (text/plain, inline)]

Hi,

As the maintainer of Cacti in Debian, I received [1] your security
report [2] on Cacti yesterday. I have several questions.

I didn't see any public communication with the upstream maintainers, so
I assume it was done in private. After releasing your CVE numbers,
wouldn't it been nice to report the issues also in the bug tracker of
cacti, so that contributors could maybe help?

I find your report rather vague, for one because it talks about
an old version of cacti (current version is 0.8.8b). How is e.g.
CVE-2014-2326 different than (the already fixed) CVE-2013-5588,
CVE-2010-2545, CVE-2010-2544 and CVE-2010-2543? Could you please explain
if you found new issues? Maybe just explicitly stating the issues you found?

Furthermore, with the current description I hardly see a difference
between CVE-2014-2328 and the (unresolved) CVE-2009-4112?

To me it seems you have a new point with CVE-2014-2327 though.

Paul Gevers.
Debian Cacti maintainer.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742768
[2] http://www.securityfocus.com/archive/1/531588

[signature.asc (application/pgp-signature, attachment)]

Message #30 received at 742768@bugs.debian.org (full text, mbox, reply):

From: Tony Roman <troman@cacti.net>

To: developers@cacti.net

Cc: cert@telekom.de, Cacti Developers <developers@cacti.net>, 742768@bugs.debian.org

Subject: Re: Regarding your cacti security report CVE-2014-2326 - 2328

Date: Mon, 31 Mar 2014 00:46:15 -0400

Paul,

I created 3 bugs to fix the issues outlined.  I'm still working on
CVE-2014-2327 as it will require a little more work to mitigate in the
Cacti code.  As for your questions about past CVE, the currently
reported ones are valid from the reported version to the latest.  Once I
have resolved the issue in CVE-2014-2327, I will post patches all the
way back to 0.8.7g to 0.8.8b.  A new release is pending release after
testing is complete.

If you are logged into the bug system you should be able to read the
descriptions of the issues that I added as private comments.

CVE-2014-2326 Unspecified HTML Injection Vulnerability
  http://bugs.cacti.net/view.php?id=2431

CVE-2014-2327 Cross Site Request Forgery Vulnerability
  http://bugs.cacti.net/view.php?id=2432

CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
  http://bugs.cacti.net/view.php?id=2433

Tony Roman
Cacti Developer

On 3/28/14, 3:52 AM, Paul Gevers wrote:
> Hi,
> 
> As the maintainer of Cacti in Debian, I received [1] your security
> report [2] on Cacti yesterday. I have several questions.
> 
> I didn't see any public communication with the upstream maintainers, so
> I assume it was done in private. After releasing your CVE numbers,
> wouldn't it been nice to report the issues also in the bug tracker of
> cacti, so that contributors could maybe help?
> 
> I find your report rather vague, for one because it talks about
> an old version of cacti (current version is 0.8.8b). How is e.g.
> CVE-2014-2326 different than (the already fixed) CVE-2013-5588,
> CVE-2010-2545, CVE-2010-2544 and CVE-2010-2543? Could you please explain
> if you found new issues? Maybe just explicitly stating the issues you found?
> 
> Furthermore, with the current description I hardly see a difference
> between CVE-2014-2328 and the (unresolved) CVE-2009-4112?
> 
> To me it seems you have a new point with CVE-2014-2327 though.
> 
> Paul Gevers.
> Debian Cacti maintainer.
> 
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742768
> [2] http://www.securityfocus.com/archive/1/531588
> 

Message #75 received at 742768@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: developers@cacti.net

Cc: 742768@bugs.debian.org

Subject: Re: Re: Regarding your cacti security report CVE-2014-2326 - 2328

Date: Fri, 04 Apr 2014 08:56:15 +0200

[Message part 1 (text/plain, inline)]

Hi Tony,

Just for your heads up. I was hoping to also se a fix for CVE-2014-2327
already, but I fully understand why that takes longer. Do you have any
idea how long it will take? Days, weeks, months? If the scale is bigger
than some small number of weeks, I will patch cacti in Debian already
with the fixes available.

You do know that Cacti got assigned two other CVE's for a fix you made
recently? CVE-2014-2708 and CVE-2014-2709:
http://seclists.org/oss-sec/2014/q2/15

Paul


On 03/31/14 06:46, Tony Roman wrote:
> Paul,
> 
> I created 3 bugs to fix the issues outlined.  I'm still working on
> CVE-2014-2327 as it will require a little more work to mitigate in the
> Cacti code.  As for your questions about past CVE, the currently
> reported ones are valid from the reported version to the latest.  Once I
> have resolved the issue in CVE-2014-2327, I will post patches all the
> way back to 0.8.7g to 0.8.8b.  A new release is pending release after
> testing is complete.
> 
> If you are logged into the bug system you should be able to read the
> descriptions of the issues that I added as private comments.
> 
> CVE-2014-2326 Unspecified HTML Injection Vulnerability
>   http://bugs.cacti.net/view.php?id=2431
> 
> CVE-2014-2327 Cross Site Request Forgery Vulnerability
>   http://bugs.cacti.net/view.php?id=2432
> 
> CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
>   http://bugs.cacti.net/view.php?id=2433
> 
> Tony Roman
> Cacti Developer
> 
> On 3/28/14, 3:52 AM, Paul Gevers wrote:
>> Hi,
>>
>> As the maintainer of Cacti in Debian, I received [1] your security
>> report [2] on Cacti yesterday. I have several questions.
>>
>> I didn't see any public communication with the upstream maintainers, so
>> I assume it was done in private. After releasing your CVE numbers,
>> wouldn't it been nice to report the issues also in the bug tracker of
>> cacti, so that contributors could maybe help?
>>
>> I find your report rather vague, for one because it talks about
>> an old version of cacti (current version is 0.8.8b). How is e.g.
>> CVE-2014-2326 different than (the already fixed) CVE-2013-5588,
>> CVE-2010-2545, CVE-2010-2544 and CVE-2010-2543? Could you please explain
>> if you found new issues? Maybe just explicitly stating the issues you found?
>>
>> Furthermore, with the current description I hardly see a difference
>> between CVE-2014-2328 and the (unresolved) CVE-2009-4112?
>>
>> To me it seems you have a new point with CVE-2014-2327 though.
>>
>> Paul Gevers.
>> Debian Cacti maintainer.
>>
>> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742768
>> [2] http://www.securityfocus.com/archive/1/531588
>>
> 
> 
> 

[signature.asc (application/pgp-signature, attachment)]

Message #120 received at 742768@bugs.debian.org (full text, mbox, reply):

From: Tony Roman <troman@cacti.net>

To: 742768@bugs.debian.org

Cc: developers@cacti.net, Secunia Research <vuln@secunia.com>, cert@telekom.de

Subject: Re: Regarding your cacti security report CVE-2014-2326 - 2328

Date: Fri, 04 Apr 2014 22:05:46 -0400

Paul,

CVE-2014-2708 and CVE-2014-2709 are address in
http://bugs.cacti.net/view.php?id=2405

Security patch for the following has been posted on the Cacti site for
versions 0.8.7g to 0.8.8b:

- CVE-2014-2326 Unspecified HTML Injection Vulnerability
- CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
- CVE-2014-2708 Unspecified SQL Injection Vulnerability
- CVE-2014-2709 Unspecified Remote Command Execution Vulnerability

As for CVE-2014-2327 Cross Site Request Forgery Vulnerability, I'm still
working on a solution.  I have some limited time this weekend to work on
this fix.  But I will be on the west coast for business this next week
and will have time at night to work on this fix.  I plan on pushing
0.8.8c release to address this and other minor fixes in Cacti the
weekend of April 12th.

Tony

On 4/4/14, 2:56 AM, Paul Gevers wrote:
> Hi Tony,
> 
> Just for your heads up. I was hoping to also se a fix for CVE-2014-2327
> already, but I fully understand why that takes longer. Do you have any
> idea how long it will take? Days, weeks, months? If the scale is bigger
> than some small number of weeks, I will patch cacti in Debian already
> with the fixes available.
> 
> You do know that Cacti got assigned two other CVE's for a fix you made
> recently? CVE-2014-2708 and CVE-2014-2709:
> http://seclists.org/oss-sec/2014/q2/15
> 
> Paul
> 
> 
> On 03/31/14 06:46, Tony Roman wrote:
>> Paul,
>>
>> I created 3 bugs to fix the issues outlined.  I'm still working on
>> CVE-2014-2327 as it will require a little more work to mitigate in the
>> Cacti code.  As for your questions about past CVE, the currently
>> reported ones are valid from the reported version to the latest.  Once I
>> have resolved the issue in CVE-2014-2327, I will post patches all the
>> way back to 0.8.7g to 0.8.8b.  A new release is pending release after
>> testing is complete.
>>
>> If you are logged into the bug system you should be able to read the
>> descriptions of the issues that I added as private comments.
>>
>> CVE-2014-2326 Unspecified HTML Injection Vulnerability
>>   http://bugs.cacti.net/view.php?id=2431
>>
>> CVE-2014-2327 Cross Site Request Forgery Vulnerability
>>   http://bugs.cacti.net/view.php?id=2432
>>
>> CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
>>   http://bugs.cacti.net/view.php?id=2433
>>
>> Tony Roman
>> Cacti Developer
>>
>> On 3/28/14, 3:52 AM, Paul Gevers wrote:
>>> Hi,
>>>
>>> As the maintainer of Cacti in Debian, I received [1] your security
>>> report [2] on Cacti yesterday. I have several questions.
>>>
>>> I didn't see any public communication with the upstream maintainers, so
>>> I assume it was done in private. After releasing your CVE numbers,
>>> wouldn't it been nice to report the issues also in the bug tracker of
>>> cacti, so that contributors could maybe help?
>>>
>>> I find your report rather vague, for one because it talks about
>>> an old version of cacti (current version is 0.8.8b). How is e.g.
>>> CVE-2014-2326 different than (the already fixed) CVE-2013-5588,
>>> CVE-2010-2545, CVE-2010-2544 and CVE-2010-2543? Could you please explain
>>> if you found new issues? Maybe just explicitly stating the issues you found?
>>>
>>> Furthermore, with the current description I hardly see a difference
>>> between CVE-2014-2328 and the (unresolved) CVE-2009-4112?
>>>
>>> To me it seems you have a new point with CVE-2014-2327 though.
>>>
>>> Paul Gevers.
>>> Debian Cacti maintainer.
>>>
>>> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742768
>>> [2] http://www.securityfocus.com/archive/1/531588
>>>
>>
>>
>>
> 

Message #127 received at 742768-close@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: 742768-close@bugs.debian.org

Subject: Bug#742768: fixed in cacti 0.8.8b+dfsg-6

Date: Wed, 25 Jun 2014 21:34:24 +0000

Source: cacti
Source-Version: 0.8.8b+dfsg-6

We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 742768@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Paul Gevers <elbrus@debian.org> (supplier of updated cacti package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 25 Jun 2014 22:33:53 +0200
Source: cacti
Binary: cacti
Architecture: source all
Version: 0.8.8b+dfsg-6
Distribution: unstable
Urgency: high
Maintainer: Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
Changed-By: Paul Gevers <elbrus@debian.org>
Description:
 cacti      - web interface for graphing of monitoring systems
Closes: 742768 744067 752573
Changes:
 cacti (0.8.8b+dfsg-6) unstable; urgency=high
 .
   * Add alternative php5-mysql | php5-mysqlnd (Closes: #744067)
   * Security update (Closes: #742768, #752573)
     - CVE-2014-2327 Cross Site Request Forgery Vulnerability
     - CVE-2014-4002 Cross-Site Scripting Vulnerability
Checksums-Sha1:
 cb0087d5f3770dea819440882c268c754ae0f0e3 1655 cacti_0.8.8b+dfsg-6.dsc
 5a34a582d9c8677518a33234a4ad1ac8024ee61a 103284 cacti_0.8.8b+dfsg-6.debian.tar.xz
 7b62b650d11502daed7091fbd7985634bfd59f54 1892594 cacti_0.8.8b+dfsg-6_all.deb
Checksums-Sha256:
 f72c1022c8497784322e9bb3db94bff0f72ddbe2f38acfbc9f894236741a86d4 1655 cacti_0.8.8b+dfsg-6.dsc
 18433ea70e341eff55c005ff1796018f546fa53ed1159e2cd69ec1c9a96168ec 103284 cacti_0.8.8b+dfsg-6.debian.tar.xz
 ab5ab0a70f308814acb5f2fdb3b32e398e47567e005065d9fd3d60748470a7aa 1892594 cacti_0.8.8b+dfsg-6_all.deb
Files:
 0aa31425f144e81ad972e6ec0aff7d9f 1892594 web extra cacti_0.8.8b+dfsg-6_all.deb
 6de034dfcb0d7ecf5e6978bf61d9b45c 1655 web extra cacti_0.8.8b+dfsg-6.dsc
 c06386ec36c90e07234da262dc2136e4 103284 web extra cacti_0.8.8b+dfsg-6.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBCAAGBQJTqzRsAAoJEJxcmesFvXUKseAIAKKzrFxl91WYCof/mF8pxeD9
OjOumQOUH/BSNDfsgou3Vk/hVsiMOZroSaEuTYDznfJPa1ajkFENHL5AySAD44xK
sdlHBlpDkp/KexgKBBV+2zxdokjk7BZrfVtJowEkfbVhTOErK+KnUhXmj3sK4tvi
sCQQQS4QNL8iRHVnMKuOQge3YKLiM9uWyA/fjS3LRqNCdNasvknWk2r+9xLBx4uK
wdmeYubm3oCjc+zWmq9RrhYIYTw0RKyXzk3EqPJHcsGeqsnIk6uYtYch014SRune
3XJWYF3Zj6cShJtFkwyEz/GxesSBs7E5ec/BduJKPzJqb8q24MzYsOtD7jH1AR0=
=2G1F
-----END PGP SIGNATURE-----

Message #132 received at 742768-close@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: 742768-close@bugs.debian.org

Subject: Bug#742768: fixed in cacti 0.8.8a+dfsg-5+deb7u3

Date: Fri, 04 Jul 2014 07:53:04 +0000

Source: cacti
Source-Version: 0.8.8a+dfsg-5+deb7u3

We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 742768@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Paul Gevers <elbrus@debian.org> (supplier of updated cacti package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 26 Jun 2014 21:01:50 +0200
Source: cacti
Binary: cacti
Architecture: source all
Version: 0.8.8a+dfsg-5+deb7u3
Distribution: wheezy-security
Urgency: high
Maintainer: Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
Changed-By: Paul Gevers <elbrus@debian.org>
Description: 
 cacti      - web interface for graphing of monitoring systems
Closes: 742768 743565 752573
Changes: 
 cacti (0.8.8a+dfsg-5+deb7u3) wheezy-security; urgency=high
 .
   * Security upload (Closes: #742768, #743565, #752573)
     - CVE-2014-2326 Cross-site scripting (XSS) vulnerability
     - CVE-2014-2327 Cross Site Request Forgery Vulnerability
     - CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
     - CVE-2014-2708 SQL injection
     - CVE-2014-2709 Unspecified Remote Command Execution Vulnerability
     - CVE-2014-4002 Cross-Site Scripting Vulnerability
Checksums-Sha1: 
 9acdcd6e9e6b16603e2ee400197df3282a1e6b83 1683 cacti_0.8.8a+dfsg-5+deb7u3.dsc
 1d3cc0a0c7ce926893644967ee151c4c4bc65466 121095 cacti_0.8.8a+dfsg-5+deb7u3.debian.tar.gz
 49ce8a79add38a77e69a23f885df62888c8dcb3e 2147332 cacti_0.8.8a+dfsg-5+deb7u3_all.deb
Checksums-Sha256: 
 329bd24accebeab86ac701788a092b090454d80ec69c9c05d8ba0e2a13a7cb93 1683 cacti_0.8.8a+dfsg-5+deb7u3.dsc
 c105e1fd8d185a26308343a0c2575fb350aa7555bf61da488a63ff40a3b183d5 121095 cacti_0.8.8a+dfsg-5+deb7u3.debian.tar.gz
 8c9606571c58b135d3320ebf1222f924badd5172915dd69966c373467ab573e2 2147332 cacti_0.8.8a+dfsg-5+deb7u3_all.deb
Files: 
 724367875a4e43438b532c33cb59d853 1683 web extra cacti_0.8.8a+dfsg-5+deb7u3.dsc
 8237f1100ca61743de8e0e4b2e5f2fab 121095 web extra cacti_0.8.8a+dfsg-5+deb7u3.debian.tar.gz
 80c20926bb4e0502b0aae27d767631e0 2147332 web extra cacti_0.8.8a+dfsg-5+deb7u3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBCAAGBQJTrV5RAAoJEJxcmesFvXUKMGgH/jYf08AmZzl0hsK7UIengiAi
iN1twNHRlyPfL1/YkirbQFHpPHeas49VbEN5geqMbSLHRRyfJ/ftz7w33Oxt20ON
GSWHNSAcT9GXjhe8LuAZlxRFnf7No70K0hRJ91yEeHrA/lbtpgInIcwot9yyKZDk
xmxNf+uPk0ultoTC6JxoSVaDwyj/GxCH9Dzy86sq3DSByhEk+4NYAs6WsXfFIMuj
aQqf1rUwIlHWA3+Hfr0qfRozEKKJFcoZaqZkFjbBQ9ueDUV03qmWeog1n7ujkCkf
D7Kerx+u7XPcuOgFKCs1DPHIWkAjHLA+Y03yJTPtE/5p2G6ENI85UCoTlLXu5KU=
=TD4G
-----END PGP SIGNATURE-----

Message #137 received at 742768-close@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: 742768-close@bugs.debian.org

Subject: Bug#742768: fixed in cacti 0.8.7g-1+squeeze4

Date: Sat, 05 Jul 2014 17:18:27 +0000

Source: cacti
Source-Version: 0.8.7g-1+squeeze4

We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 742768@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Paul Gevers <elbrus@debian.org> (supplier of updated cacti package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 05 Jul 2014 11:27:40 +0200
Source: cacti
Binary: cacti
Architecture: source all
Version: 0.8.7g-1+squeeze4
Distribution: squeeze-lts
Urgency: high
Maintainer: Sean Finney <seanius@debian.org>
Changed-By: Paul Gevers <elbrus@debian.org>
Description: 
 cacti      - Frontend to rrdtool for monitoring systems and services
Closes: 742768 743565 752573
Changes: 
 cacti (0.8.7g-1+squeeze4) squeeze-lts; urgency=high
 .
   * Security upload (Closes: #742768, #743565, #752573)
     - CVE-2014-2326 Cross-site scripting (XSS) vulnerability
     - CVE-2014-2327 Cross Site Request Forgery Vulnerability
     - CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
     - CVE-2014-2708 SQL injection
     - CVE-2014-2709 Unspecified Remote Command Execution Vulnerability
     - CVE-2014-4002 Cross-Site Scripting Vulnerability
Checksums-Sha1: 
 0b1a8db6de23388eb333e3f31910e72f35ab512b 1443 cacti_0.8.7g-1+squeeze4.dsc
 b88051b333e29b215dacfe07bd1cf684da866c53 59041 cacti_0.8.7g-1+squeeze4.diff.gz
 71c19bf1d1ff3d4cbf5d1ef717dbdeaf314bd89b 2098348 cacti_0.8.7g-1+squeeze4_all.deb
Checksums-Sha256: 
 50961c0bcf6766c9f7493f785f7202fe73bfbfb04b576e5388875f56f846358e 1443 cacti_0.8.7g-1+squeeze4.dsc
 1498c3a5ef269942c908a0d9bb24a10a29ebd126c7226c223f52e2171f7c7fb0 59041 cacti_0.8.7g-1+squeeze4.diff.gz
 73cea4db7448c4ae2d311937c4f76f9fe2452f4933c7df6b1b6088ecb604b66e 2098348 cacti_0.8.7g-1+squeeze4_all.deb
Files: 
 5ef9a7d3c7e9753456a923c040276aa8 1443 web extra cacti_0.8.7g-1+squeeze4.dsc
 ba7a61ce0ae89d4d19525001d0f98b56 59041 web extra cacti_0.8.7g-1+squeeze4.diff.gz
 64be98d1231c4f5ac4a8039a8876cc2a 2098348 web extra cacti_0.8.7g-1+squeeze4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBCAAGBQJTuC2fAAoJEJxcmesFvXUKy4YH/1ETU150OPL6OeHY2EqCbz+4
wMk3kK0hNJv3JpmKlZ2dGdFggSigQTY33CtrR177skN3fjYauoIF+8UVL3BsU7Hg
/9+yMeJWQSGWL0k0NfKSOYGelbswY8yY/rTdBw5INXqaGn7xHaTb6iJ+1IIDKuGu
yxXAMtUpoQn4lJjvkBADPzVl8xE/lyLcNrQFn5owprC28MNGgz1IAGVklhVEj3OB
OFWnYRGCNihhDSW8z1JfLnf+FtUZ2utVsGG2b7JJCGuoAAnOkHQOdfmaq6l5Wq+G
VxA2Aa6S0ABnsJv0aNBMXKRcrutOPU7ElCzdOjNOcDYMyondy5GxwpRzM24XZT0=
=gTIS
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.