Debian Bug report logs -
#878304
cacti: CVE-2017-15194
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>:
Bug#878304; Package src:cacti.
(Thu, 12 Oct 2017 14:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>.
(Thu, 12 Oct 2017 14:27:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: cacti
Version: 1.1.21+ds1-1
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/Cacti/cacti/issues/1010
Hi,
the following vulnerability was published for cacti, just filling for
Debian BTS-documentation purposes.
CVE-2017-15194[0]:
| include/global_session.php in Cacti 1.1.25 has XSS related to (1) the
| URI or (2) the refresh page.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-15194
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15194
[1] https://github.com/Cacti/cacti/issues/1010
[2] https://github.com/Cacti/cacti/commit/93f661d8adcfa6618b11522cdab30e97bada33fd
Regards,
Salvatore
Reply sent
to Paul Gevers <elbrus@debian.org>:
You have taken responsibility.
(Fri, 13 Oct 2017 19:57:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 13 Oct 2017 19:57:04 GMT) (full text, mbox, link).
Message #10 received at 878304-close@bugs.debian.org (full text, mbox, reply):
Source: cacti
Source-Version: 1.1.25+ds1-1
We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 878304@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Paul Gevers <elbrus@debian.org> (supplier of updated cacti package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 13 Oct 2017 21:09:04 +0200
Source: cacti
Binary: cacti
Architecture: source
Version: 1.1.25+ds1-1
Distribution: unstable
Urgency: medium
Maintainer: Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
Changed-By: Paul Gevers <elbrus@debian.org>
Description:
cacti - web interface for graphing of monitoring systems
Closes: 878304
Changes:
cacti (1.1.25+ds1-1) unstable; urgency=medium
.
* New upstream version 1.1.25
* Improve the override_dh_fixperms target as some files were
unintentionally missed and thus make cacti reproducible again
* CVE-2017-15194: XSS in global_session.php
- Add CVE-2017-15194.patch (Closes: #878304)
- Add check to autopkgtest
Checksums-Sha1:
067170de466a14cefc7d3b1c1ce443593b5c000e 2131 cacti_1.1.25+ds1-1.dsc
0ee9c46aacb14248d3e8a3e9b2dff9a246e868b3 66892 cacti_1.1.25+ds1.orig-docs-source.tar.xz
cf48f7285679d38565f1886ea502281acc40377b 3816491 cacti_1.1.25+ds1.orig.tar.gz
9c517bd44c7c9e18ca602622239b9daf6e572242 50792 cacti_1.1.25+ds1-1.debian.tar.xz
Checksums-Sha256:
1a9ceba1fc3534329d69ff33d15be086e9689f325bcb35c96ea1725b04b7d2ef 2131 cacti_1.1.25+ds1-1.dsc
30931fb415c746524db2d752f8be47f568f7f4dc3ba0cc0a3f184c3951b337e9 66892 cacti_1.1.25+ds1.orig-docs-source.tar.xz
83eb190928393883cf8c5c0ac75b84bc3e95ee57375d8f28076638c76e7f026f 3816491 cacti_1.1.25+ds1.orig.tar.gz
bdfd02d069a023f1f0eab6e02fe234d5d7d22bad57c40a15639a6b6e0b9ebec9 50792 cacti_1.1.25+ds1-1.debian.tar.xz
Files:
a33ac31674bc5e4c077e2f74eeadad97 2131 web extra cacti_1.1.25+ds1-1.dsc
091493e53be845d24ac5bd061acf796f 66892 web extra cacti_1.1.25+ds1.orig-docs-source.tar.xz
d5f8ed5cb181a6c77fc0d20e8d41a048 3816491 web extra cacti_1.1.25+ds1.orig.tar.gz
63f58ffa89f47c7ca4a4115cb2458a4b 50792 web extra cacti_1.1.25+ds1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAlnhE84ACgkQnFyZ6wW9
dQqqKAf/SjsxsnB6tyQG1Jt0b7xy/dOuBv+++iLjohMeVuKZxU014qahq0/pRlPF
RHK3QrKZMHQ8jGUxRSwCBaO9NmtCNi9X31bfqJs1tENnZt9B7m9UKHF3c1IKwk3q
jutUckTiDnppnYQcFQFPjIc/9Ehtlv26AvfBp82yPr6M2SXkoabe92k23Ji5Puzc
IA6k5kyQ7okjaAskAIxbwlNG+EQICRavDRqeFHyZCee9ac3BQaELEJuR+h5Ez86H
sT1miV8wkwtcLAhyuUoumfJ31DtYN/rQD6YvqDQbSknb5voCyXZIROPwPu15R1Gp
+wyDIidUOadhlP02WHpxo0sSu/BqrQ==
=2NUb
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 11 Nov 2017 07:24:58 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:16:10 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon