cacti: CVE-2020-35701

Debian Bug report logs - #979998
cacti: CVE-2020-35701

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: cacti: CVE-2020-35701

Date: Tue, 12 Jan 2021 19:07:46 +0100

Source: cacti
Version: 1.2.16+ds1-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/Cacti/cacti/issues/4022
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for cacti.

CVE-2020-35701[0]:
| An issue was discovered in Cacti 1.2.x through 1.2.16. A SQL injection
| vulnerability in data_debug.php allows remote authenticated attackers
| to execute arbitrary SQL commands via the site_id parameter. This can
| lead to remote code execution.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-35701
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35701
[1] https://github.com/Cacti/cacti/issues/4022

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 979998@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: Debian bugs control server <control@bugs.debian.org>, Salvatore Bonaccorso <carnil@debian.org>, 979998@bugs.debian.org

Subject: Re: Bug#979998: cacti: CVE-2020-35701

Date: Sun, 17 Jan 2021 19:46:43 +0100

[Message part 1 (text/plain, inline)]

found 979998 1.2.2+ds1-2+deb10u3
thanks

Hi Salvatore,

On 12-01-2021 19:07, Salvatore Bonaccorso wrote:

[...]

> The following vulnerability was published for cacti.
> 
> CVE-2020-35701[0]:

[...]

> Please adjust the affected versions in the BTS as needed.

Buster is affected. Does this warrant a security upload or should I
prepare a point release update?

Paul

[OpenPGP_signature (application/pgp-signature, attachment)]

Message #17 received at 979998-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 979998-close@bugs.debian.org

Subject: Bug#979998: fixed in cacti 1.2.16+ds1-2

Date: Sun, 17 Jan 2021 21:18:58 +0000

Source: cacti
Source-Version: 1.2.16+ds1-2
Done: Paul Gevers <elbrus@debian.org>

We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 979998@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Paul Gevers <elbrus@debian.org> (supplier of updated cacti package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 17 Jan 2021 21:26:01 +0100
Source: cacti
Architecture: source
Version: 1.2.16+ds1-2
Distribution: unstable
Urgency: medium
Maintainer: Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
Changed-By: Paul Gevers <elbrus@debian.org>
Closes: 979998
Changes:
 cacti (1.2.16+ds1-2) unstable; urgency=medium
 .
   * Add 0001-Fixing-Issue-4022.patch (Closes: #979998)
     - CVE-2020-35701: SQL injection via data_debug.php
   * Add 0001-Fixing-Issue-4019.patch
     There are a few places in the current code where an attacker, once
     having gained access to the Cacti database through a SQL injection,
     could modify data in tables to possibly expose an stored XSS bug in
     Cacti.
Checksums-Sha1:
 876a9f1bcc8ddd6f48069b3263bd7de2f33352dd 2237 cacti_1.2.16+ds1-2.dsc
 f93bbcca5567c1196578939352dc17f0e63e15fd 56760 cacti_1.2.16+ds1-2.debian.tar.xz
Checksums-Sha256:
 f04c0e6982ed1194c865404d92bfa965a4d9370ed2bda977b7d082ac9036171f 2237 cacti_1.2.16+ds1-2.dsc
 4a63d4c0fd6e48571fc4b93659f61210c73959ad6fd1767fec39dc611d738782 56760 cacti_1.2.16+ds1-2.debian.tar.xz
Files:
 17457cbcc9f09003cd89ab571c30b704 2237 web optional cacti_1.2.16+ds1-2.dsc
 829232c329cdadd3606f9efcad2cbd4c 56760 web optional cacti_1.2.16+ds1-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAmAEp2EACgkQnFyZ6wW9
dQq9Uwf9H3QLwN5rWz6dw7bF9EvApXgfxNEzD9UTs/t80Xux+/qYkJxto/EuDZzO
Jp0SIa9RrMWwIrqwh04KenOWau3rm3WAxlfZ7QkzNoidjVer0ChK+Y6alPYg1h4z
L1W38DytF5uS9HFg27VdlGuyGQXZYjdzJGU1LhKySzqChzzqWla6UuybKsnrw+6S
c90x2Bn8xY/i7L6hv+5y0Os3GkHIwiFSPPnBt+Ddd+6jpW1wzbXmRK+TSx5CSdrH
hLa666SjmEkB8CoeFJrNwsQRpLthV8r+2BAf51QU0g3NGva/r7u4BnnSFKlwqAyP
OiN4FAsyzqGIj2/qGG7BH7YVUaL3Ag==
=63eg
-----END PGP SIGNATURE-----

Message #22 received at 979998-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 979998-close@bugs.debian.org

Subject: Bug#979998: fixed in cacti 1.2.2+ds1-2+deb10u4

Date: Sat, 23 Jan 2021 15:47:07 +0000

Source: cacti
Source-Version: 1.2.2+ds1-2+deb10u4
Done: Paul Gevers <elbrus@debian.org>

We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 979998@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Paul Gevers <elbrus@debian.org> (supplier of updated cacti package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 21 Jan 2021 20:16:38 +0100
Source: cacti
Architecture: source
Version: 1.2.2+ds1-2+deb10u4
Distribution: buster
Urgency: medium
Maintainer: Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
Changed-By: Paul Gevers <elbrus@debian.org>
Closes: 979998
Changes:
 cacti (1.2.2+ds1-2+deb10u4) buster; urgency=medium
 .
   * Add 0001-Fixing-Issue-4022.patch (Closes: #979998)
     - CVE-2020-35701: SQL injection via data_debug.php
   * Add 0001-Fixing-Issue-4019.patch
     There are a few places in the current code where an attacker, once
     having gained access to the Cacti database through a SQL injection,
     could modify data in tables to possibly expose an stored XSS bug in
     Cacti.
Checksums-Sha1:
 f0651b1be15691e353695d67f8cfd818e22ab6be 2261 cacti_1.2.2+ds1-2+deb10u4.dsc
 dc06d18fa7c8dd6b75e77fe3f7ccbb88fb856fce 67920 cacti_1.2.2+ds1-2+deb10u4.debian.tar.xz
Checksums-Sha256:
 085ae645548b8a1cd6187dc725b7b0724e94b72fe5efb5de98726dfbf19a900f 2261 cacti_1.2.2+ds1-2+deb10u4.dsc
 36885c441acd4517f6ba52fb24e36803f89587ba7d26f01cc974691434d18d2a 67920 cacti_1.2.2+ds1-2+deb10u4.debian.tar.xz
Files:
 7e074c0bb8a23e0b2ad01311043933b5 2261 web optional cacti_1.2.2+ds1-2+deb10u4.dsc
 b3304f7f4acf7cb61f062dd9317d0909 67920 web optional cacti_1.2.2+ds1-2+deb10u4.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAmAJ1kMACgkQnFyZ6wW9
dQq58AgAhc5k1IOez+Amtm4lv9LD+sDIWuW1bRpSMYpyHSrU35IVmyATFN4o//Ze
xIZNsSnVHBq0H/IuM+24LUOUSZhrftV61qgvEv+h6CggKdXSdSMO08/C3FETk2PD
vBAMlQqerpJW5CXXBMWs/09Dz0VQ0tV3XZgYIaMC1ucjm6GVEh8+v2OgBTdS49gh
PINXIS5Pg8XzByIoP0g9f9qfvHqLn4EmmvadwiTU3V5S0aT405nchp2DEZ5JCxIm
PIQCZ7SXEmzrzYyT+VVVZqLcvJQQBGLGUX+aPvo3PMCC4x4Ep5kwinfjxHkIYNHL
NWDzBr1kBj7043hRFeEfN8030pSdSw==
=4LEq
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.