Debian Bug report logs -
#818647
cacti: CVE-2016-3172
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 19 Mar 2016 06:21:01 UTC
Severity: important
Tags: patch, security, upstream
Found in versions cacti/0.8.8a+dfsg-5, cacti/0.8.8g+ds1-1
Fixed in versions cacti/0.8.8g+ds1-2, cacti/0.8.8b+dfsg-8+deb8u5
Done: Paul Gevers <elbrus@debian.org>
Bug is archived. No further changes may be made.
Forwarded to http://bugs.cacti.net/view.php?id=2667
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>:
Bug#818647; Package src:cacti.
(Sat, 19 Mar 2016 06:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>.
(Sat, 19 Mar 2016 06:21:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: cacti
Version: 0.8.8g+ds1-1
Severity: important
Tags: security upstream patch
Forwarded: http://bugs.cacti.net/view.php?id=2667
Hi,
filling this as well in the BTS to have the cross reference.
CVE-2016-3172[0]:
SQL Injection Vulnerability
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-3172
[1] http://bugs.cacti.net/view.php?id=2667
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions cacti/0.8.8a+dfsg-5.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 19 Mar 2016 06:30:03 GMT) (full text, mbox, link).
Reply sent
to Paul Gevers <elbrus@debian.org>:
You have taken responsibility.
(Sun, 17 Apr 2016 18:36:20 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 17 Apr 2016 18:36:20 GMT) (full text, mbox, link).
Message #12 received at 818647-close@bugs.debian.org (full text, mbox, reply):
Source: cacti
Source-Version: 0.8.8g+ds1-2
We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 818647@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Paul Gevers <elbrus@debian.org> (supplier of updated cacti package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 17 Apr 2016 19:55:43 +0200
Source: cacti
Binary: cacti
Architecture: source
Version: 0.8.8g+ds1-2
Distribution: unstable
Urgency: medium
Maintainer: Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
Changed-By: Paul Gevers <elbrus@debian.org>
Description:
cacti - web interface for graphing of monitoring systems
Closes: 783446 783447 815987 816962 818647
Changes:
cacti (0.8.8g+ds1-2) unstable; urgency=medium
.
[ Paul Gevers ]
* Next upstream version, strip include/js/jquery.js from source
* Make sure the web-interface doesn't ask unnecessary questions after
install (Closes: #783447)
* Use the MySQL connection password as initial password for the admin
user (Closes: #783446) and mention this in the NEWS.Debian file
* Improve fix for CVE-2016-2313 such that it doesn't cause a regression
for setups that rely on http authentication of users unknown to cacti.
- Add improve_fix_for_CVE-2016-2313.patch
* Full update of README.Debian
* CVE-2016-3172
- Add CVE-2016-3172_sql-injection-in-tree.php.patch (Closes: #818647)
* Update Brazilian Portuguese, thanks to Diego Neves (Closes: #816962)
* Drop old code in postinst to (re)move old configuration files this is
already fixed in jessie
* Bump version for libphp-adodb as mysqli doesn't work otherwise
* Add new php-xml & php-mbstring to Depends for php7.0
* Add add_rrdtool-1.5_to_utilities.php.patch to prevent error in
utilities.php with rrdtool version 1.5
* Remove Mahyuddin from uploaders (thanks for the fish)
.
[ Nishanth Aravamudan ]
* Update to PHP7.0 dependencies (LP: #1544352)
* Default to mysqli driver for database connection, as the mysql driver
has been removed in PHP7.0 (LP: #1544352) (Closes: #815987)
Checksums-Sha1:
6886b225b9df2e688c0b177d0a89c5baf3c7ae73 1571 cacti_0.8.8g+ds1-2.dsc
8c1b1c46caa858521cca1e9f676aad7b5ef500cb 47472 cacti_0.8.8g+ds1-2.debian.tar.xz
Checksums-Sha256:
ea004d0269efdf957984ae13c1bf4040dd6e0416f4b66629fdbf261deddf3c39 1571 cacti_0.8.8g+ds1-2.dsc
20cd1269b804126cb83f3be15d77e4baea8e29df0751f0addb01ef5c6a2e9f0a 47472 cacti_0.8.8g+ds1-2.debian.tar.xz
Files:
9b7bbe22e077f97f3ba6091f551aa2ab 1571 web extra cacti_0.8.8g+ds1-2.dsc
5e8b3d0cbd7a75a39fad62514fdb8824 47472 web extra cacti_0.8.8g+ds1-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJXE9JVAAoJEJxcmesFvXUKhYcH/2LfnBlPFP08/mqHCO0Y6j9q
XBlsDaiTolT7WuxW2xXyimKZU0GOcoHoAcNeQvHVz2QQRe/gqN3+EgGr3fJPs+Gy
mQ9eh6t4maWnnWnM2EoPWq0TRkQSYxmI0oqF0tQ0wlJCu6sAY8hPOQfRM+FkWrhd
ujhLGjMrhcSAbqVthVrR9AMZ+u/cn5h8X0ag4o7WM/9Kw/B8mfFUdFdNn+6vAIgV
8f4S+L5Y3vR9Q/tJc8TPz7ef7Eby2189eVGH5/mRXWJxPqHLeK+i2zx24Y9m3BnQ
v5aoKR4np3bMP1uz+W04vvqIkPE9xmX+8WCw0ouZOOzNfx2kXO+qprkHDQoqN3w=
=NqBV
-----END PGP SIGNATURE-----
Reply sent
to Paul Gevers <elbrus@debian.org>:
You have taken responsibility.
(Sat, 16 Jul 2016 22:06:15 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 16 Jul 2016 22:06:15 GMT) (full text, mbox, link).
Message #17 received at 818647-close@bugs.debian.org (full text, mbox, reply):
Source: cacti
Source-Version: 0.8.8b+dfsg-8+deb8u5
We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 818647@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Paul Gevers <elbrus@debian.org> (supplier of updated cacti package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 09 Jul 2016 20:05:41 +0200
Source: cacti
Binary: cacti
Architecture: source all
Version: 0.8.8b+dfsg-8+deb8u5
Distribution: jessie-proposed-updates
Urgency: medium
Maintainer: Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
Changed-By: Paul Gevers <elbrus@debian.org>
Description:
cacti - web interface for graphing of monitoring systems
Closes: 814353 818647 820521
Changes:
cacti (0.8.8b+dfsg-8+deb8u5) jessie-proposed-updates; urgency=medium
.
[ Emilio Pozuelo Monfort ]
* debian/patches/CVE-2016-3172-sql-injection.patch:
+ CVE-2016-3172: Fix sql injection in tree.php (Closes: #818647)
* debian/patches/CVE-2016-3659-sql-injection.patch:
+ CVE-2016-3659: Fix sql injection in graph_view.php (Closes: #820521)
* debian/patches/CVE-2016-2313-authentication-bypass.patch:
+ CVE-2016-2313: Fix authentication bypass (Closes: #814353)
Checksums-Sha1:
985cce7d8476be171f43f007e38b2d99fbf35336 1666 cacti_0.8.8b+dfsg-8+deb8u5.dsc
7f8f9d7376431890775fb028d05cbe501897b700 116024 cacti_0.8.8b+dfsg-8+deb8u5.debian.tar.xz
1fc6c14eb4b6700f243a3ce668d04c13d69816e6 1894154 cacti_0.8.8b+dfsg-8+deb8u5_all.deb
Checksums-Sha256:
be49709c9c464f9042a4d32cb2a4307852d67ab93147f8c8c08ef9ac3bce6d35 1666 cacti_0.8.8b+dfsg-8+deb8u5.dsc
888a0f8526de8f85f9b515017399fa12971362a58e5d5e0fd51725b69c3d1954 116024 cacti_0.8.8b+dfsg-8+deb8u5.debian.tar.xz
04903ef10a9b6c5ad3bbf5424ee6a9d522705f93315da521a4263cea3d8e6fb3 1894154 cacti_0.8.8b+dfsg-8+deb8u5_all.deb
Files:
1afd440ede4ccd9405b25bcdcbd521c3 1666 web extra cacti_0.8.8b+dfsg-8+deb8u5.dsc
b32c421a920578ec4ca6f27e99950b9b 116024 web extra cacti_0.8.8b+dfsg-8+deb8u5.debian.tar.xz
8a35d0e97846b58b0398f8abf5ce8794 1894154 web extra cacti_0.8.8b+dfsg-8+deb8u5_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJXiNOqAAoJEJxcmesFvXUKudIH/19i/+6yquq2E5FIKqQ+v3TM
EkvGkO50rbdYQYoKN5cEEQjV8u2U2/j5I7X5VGBYo4OOC04jQxpS+I5OBvqFmjTU
VY8DEnZ0o1bBXWq1clDIhaEzmIGUs3z5g9XaREwOaNgxI5H5saXXaBdfohQ2e5jU
tgymwLi0irLODMx8qvwuOLRuyja3h44Y+foKulSw5xrN+2s0XrLakggTM9KLqme8
ivwGENER9sSDLIe+Hx/Or+0MqmpFNYipXb6FxdT/znoCfVALApAvvTYcvxE2w6oe
GISnjShk59WH4UFh+THi8dGay1Oujdl1+sSd6nqLBxPqvNYTFAk8QJb7cMOlMLI=
=R6gn
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 14 Aug 2016 07:43:23 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:37:22 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon