Debian Bug report logs -
#870353
cacti: CVE-2017-12065
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>:
Bug#870353; Package src:cacti.
(Tue, 01 Aug 2017 11:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>.
(Tue, 01 Aug 2017 11:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: cacti
Version: 1.1.15+ds1-1
Severity: important
Tags: security upstream patch
Forwarded: https://github.com/Cacti/cacti/issues/877
Hi,
the following vulnerability was published for cacti.
CVE-2017-12065[0]:
| spikekill.php in Cacti before 1.1.16 might allow remote attackers to
| execute arbitrary code via the avgnan, outlier-start, or outlier-end
| parameter.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-12065
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12065
[1] https://github.com/Cacti/cacti/issues/877
Regards,
Salvatore
Reply sent
to Paul Gevers <elbrus@debian.org>:
You have taken responsibility.
(Thu, 03 Aug 2017 15:06:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 03 Aug 2017 15:06:06 GMT) (full text, mbox, link).
Message #10 received at 870353-close@bugs.debian.org (full text, mbox, reply):
Source: cacti
Source-Version: 1.1.16+ds1-1
We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 870353@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Paul Gevers <elbrus@debian.org> (supplier of updated cacti package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 03 Aug 2017 09:38:54 -0400
Source: cacti
Binary: cacti
Architecture: source
Version: 1.1.16+ds1-1
Distribution: unstable
Urgency: medium
Maintainer: Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
Changed-By: Paul Gevers <elbrus@debian.org>
Description:
cacti - web interface for graphing of monitoring systems
Closes: 870353 870354
Changes:
cacti (1.1.16+ds1-1) unstable; urgency=medium
.
* New upstream release
- Fixes CVE-2017-12065 spikekill.php might allow remote attackers to
execute arbitrary code via the avgnan, outlier-start, or outlier-end
parameter (Closes: #870353)
- Fixes CVE-2017-12066 Cross-site scripting (XSS) vulnerability in
aggregate_graphs.php (Closes: #870354)
Checksums-Sha1:
62c817247fe9baeea7cc96912ab22e0b3fd41bc9 2131 cacti_1.1.16+ds1-1.dsc
0ee9c46aacb14248d3e8a3e9b2dff9a246e868b3 66892 cacti_1.1.16+ds1.orig-docs-source.tar.xz
3cf5f6db0872c5376ae5195a2dab26252d3847d0 3792319 cacti_1.1.16+ds1.orig.tar.gz
430a8dcded52e82c2aa7e60cc2ea57321d1ebf1e 50024 cacti_1.1.16+ds1-1.debian.tar.xz
Checksums-Sha256:
a3ee5d9e4832d8904bdf920e68cb6c5949a313cbbc2738df79a103c4b731182d 2131 cacti_1.1.16+ds1-1.dsc
30931fb415c746524db2d752f8be47f568f7f4dc3ba0cc0a3f184c3951b337e9 66892 cacti_1.1.16+ds1.orig-docs-source.tar.xz
912f5caaed9c8d879c7887fa6fd138db521bb98c9376ac299a8369f26a07e35e 3792319 cacti_1.1.16+ds1.orig.tar.gz
6dda77be2427c897970070170fec63d8e0b62ec07c39b9668fa41c18ffeb1a84 50024 cacti_1.1.16+ds1-1.debian.tar.xz
Files:
cfd2c14153a3e795748ae61f1a1b8a98 2131 web extra cacti_1.1.16+ds1-1.dsc
091493e53be845d24ac5bd061acf796f 66892 web extra cacti_1.1.16+ds1.orig-docs-source.tar.xz
a56dc0aa22340fae507a50f3be0f571e 3792319 web extra cacti_1.1.16+ds1.orig.tar.gz
37abc3bd56bf7fcde9484b66305a6144 50024 web extra cacti_1.1.16+ds1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAlmDKM4ACgkQnFyZ6wW9
dQrrHAf+P0610YwLeIbGVYcGyWOPZ64UwuNqCijuxWTff/lkGfCtS5YrjcLa8x/w
fxZ3KKqciXNvhr8FvBPjAR4pxBFMjbvT17AVRDnZddEq8MG6j/kDktoZ3st2l326
2SHgmXJMTEWmuzl+M/QES9OBb15h57EKHtlEB7Z4A1HTqJgU9DkevCIJ9sp8MWn5
2B69m+3luROc64ryFUr09CsiiLvcnXKyfGKgzKrN5+oQzTLB8lVIksiLEG7iliC6
mV3CHYQxIWZ2uElOmyYFifwumKrYALa7KBdKzGuVyDYPHeD56zXX6M+fwU8ORXva
iSmjSYAG1TzXsyNl+Qmp3wv1LxycNw==
=HoKK
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 01 Sep 2017 07:28:16 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:18:07 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon