Debian Bug report logs -
#979998
cacti: CVE-2020-35701
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
:
Bug#979998
; Package src:cacti
.
(Tue, 12 Jan 2021 18:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
.
(Tue, 12 Jan 2021 18:09:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: cacti
Version: 1.2.16+ds1-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/Cacti/cacti/issues/4022
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for cacti.
CVE-2020-35701[0]:
| An issue was discovered in Cacti 1.2.x through 1.2.16. A SQL injection
| vulnerability in data_debug.php allows remote authenticated attackers
| to execute arbitrary SQL commands via the site_id parameter. This can
| lead to remote code execution.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-35701
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35701
[1] https://github.com/Cacti/cacti/issues/4022
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
:
Bug#979998
; Package src:cacti
.
(Sun, 17 Jan 2021 18:51:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Paul Gevers <elbrus@debian.org>
:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
.
(Sun, 17 Jan 2021 18:51:02 GMT) (full text, mbox, link).
Message #10 received at 979998@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
found 979998 1.2.2+ds1-2+deb10u3
thanks
Hi Salvatore,
On 12-01-2021 19:07, Salvatore Bonaccorso wrote:
[...]
> The following vulnerability was published for cacti.
>
> CVE-2020-35701[0]:
[...]
> Please adjust the affected versions in the BTS as needed.
Buster is affected. Does this warrant a security upload or should I
prepare a point release update?
Paul
[OpenPGP_signature (application/pgp-signature, attachment)]
Marked as found in versions cacti/1.2.2+ds1-2+deb10u3.
Request was from Paul Gevers <elbrus@debian.org>
to control@bugs.debian.org
.
(Sun, 17 Jan 2021 18:51:05 GMT) (full text, mbox, link).
Reply sent
to Paul Gevers <elbrus@debian.org>
:
You have taken responsibility.
(Sun, 17 Jan 2021 21:21:15 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sun, 17 Jan 2021 21:21:15 GMT) (full text, mbox, link).
Message #17 received at 979998-close@bugs.debian.org (full text, mbox, reply):
Source: cacti
Source-Version: 1.2.16+ds1-2
Done: Paul Gevers <elbrus@debian.org>
We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 979998@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Paul Gevers <elbrus@debian.org> (supplier of updated cacti package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 17 Jan 2021 21:26:01 +0100
Source: cacti
Architecture: source
Version: 1.2.16+ds1-2
Distribution: unstable
Urgency: medium
Maintainer: Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
Changed-By: Paul Gevers <elbrus@debian.org>
Closes: 979998
Changes:
cacti (1.2.16+ds1-2) unstable; urgency=medium
.
* Add 0001-Fixing-Issue-4022.patch (Closes: #979998)
- CVE-2020-35701: SQL injection via data_debug.php
* Add 0001-Fixing-Issue-4019.patch
There are a few places in the current code where an attacker, once
having gained access to the Cacti database through a SQL injection,
could modify data in tables to possibly expose an stored XSS bug in
Cacti.
Checksums-Sha1:
876a9f1bcc8ddd6f48069b3263bd7de2f33352dd 2237 cacti_1.2.16+ds1-2.dsc
f93bbcca5567c1196578939352dc17f0e63e15fd 56760 cacti_1.2.16+ds1-2.debian.tar.xz
Checksums-Sha256:
f04c0e6982ed1194c865404d92bfa965a4d9370ed2bda977b7d082ac9036171f 2237 cacti_1.2.16+ds1-2.dsc
4a63d4c0fd6e48571fc4b93659f61210c73959ad6fd1767fec39dc611d738782 56760 cacti_1.2.16+ds1-2.debian.tar.xz
Files:
17457cbcc9f09003cd89ab571c30b704 2237 web optional cacti_1.2.16+ds1-2.dsc
829232c329cdadd3606f9efcad2cbd4c 56760 web optional cacti_1.2.16+ds1-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAmAEp2EACgkQnFyZ6wW9
dQq9Uwf9H3QLwN5rWz6dw7bF9EvApXgfxNEzD9UTs/t80Xux+/qYkJxto/EuDZzO
Jp0SIa9RrMWwIrqwh04KenOWau3rm3WAxlfZ7QkzNoidjVer0ChK+Y6alPYg1h4z
L1W38DytF5uS9HFg27VdlGuyGQXZYjdzJGU1LhKySzqChzzqWla6UuybKsnrw+6S
c90x2Bn8xY/i7L6hv+5y0Os3GkHIwiFSPPnBt+Ddd+6jpW1wzbXmRK+TSx5CSdrH
hLa666SjmEkB8CoeFJrNwsQRpLthV8r+2BAf51QU0g3NGva/r7u4BnnSFKlwqAyP
OiN4FAsyzqGIj2/qGG7BH7YVUaL3Ag==
=63eg
-----END PGP SIGNATURE-----
Reply sent
to Paul Gevers <elbrus@debian.org>
:
You have taken responsibility.
(Sat, 23 Jan 2021 15:51:17 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sat, 23 Jan 2021 15:51:17 GMT) (full text, mbox, link).
Message #22 received at 979998-close@bugs.debian.org (full text, mbox, reply):
Source: cacti
Source-Version: 1.2.2+ds1-2+deb10u4
Done: Paul Gevers <elbrus@debian.org>
We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 979998@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Paul Gevers <elbrus@debian.org> (supplier of updated cacti package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 21 Jan 2021 20:16:38 +0100
Source: cacti
Architecture: source
Version: 1.2.2+ds1-2+deb10u4
Distribution: buster
Urgency: medium
Maintainer: Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
Changed-By: Paul Gevers <elbrus@debian.org>
Closes: 979998
Changes:
cacti (1.2.2+ds1-2+deb10u4) buster; urgency=medium
.
* Add 0001-Fixing-Issue-4022.patch (Closes: #979998)
- CVE-2020-35701: SQL injection via data_debug.php
* Add 0001-Fixing-Issue-4019.patch
There are a few places in the current code where an attacker, once
having gained access to the Cacti database through a SQL injection,
could modify data in tables to possibly expose an stored XSS bug in
Cacti.
Checksums-Sha1:
f0651b1be15691e353695d67f8cfd818e22ab6be 2261 cacti_1.2.2+ds1-2+deb10u4.dsc
dc06d18fa7c8dd6b75e77fe3f7ccbb88fb856fce 67920 cacti_1.2.2+ds1-2+deb10u4.debian.tar.xz
Checksums-Sha256:
085ae645548b8a1cd6187dc725b7b0724e94b72fe5efb5de98726dfbf19a900f 2261 cacti_1.2.2+ds1-2+deb10u4.dsc
36885c441acd4517f6ba52fb24e36803f89587ba7d26f01cc974691434d18d2a 67920 cacti_1.2.2+ds1-2+deb10u4.debian.tar.xz
Files:
7e074c0bb8a23e0b2ad01311043933b5 2261 web optional cacti_1.2.2+ds1-2+deb10u4.dsc
b3304f7f4acf7cb61f062dd9317d0909 67920 web optional cacti_1.2.2+ds1-2+deb10u4.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAmAJ1kMACgkQnFyZ6wW9
dQq58AgAhc5k1IOez+Amtm4lv9LD+sDIWuW1bRpSMYpyHSrU35IVmyATFN4o//Ze
xIZNsSnVHBq0H/IuM+24LUOUSZhrftV61qgvEv+h6CggKdXSdSMO08/C3FETk2PD
vBAMlQqerpJW5CXXBMWs/09Dz0VQ0tV3XZgYIaMC1ucjm6GVEh8+v2OgBTdS49gh
PINXIS5Pg8XzByIoP0g9f9qfvHqLn4EmmvadwiTU3V5S0aT405nchp2DEZ5JCxIm
PIQCZ7SXEmzrzYyT+VVVZqLcvJQQBGLGUX+aPvo3PMCC4x4Ep5kwinfjxHkIYNHL
NWDzBr1kBj7043hRFeEfN8030pSdSw==
=4LEq
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Jan 25 09:34:20 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.