Debian Bug report logs -
#752573
cacti: CVE-2014-4002 Cross-Site Scripting Vulnerability
Reported by: Paul Gevers <elbrus@debian.org>
Date: Tue, 24 Jun 2014 19:57:06 UTC
Severity: grave
Tags: patch, security, upstream
Found in version cacti/0.8.8b+dfsg-5
Fixed in versions cacti/0.8.8b+dfsg-6, cacti/0.8.8a+dfsg-5+deb7u3, cacti/0.8.7g-1+squeeze4
Done: Paul Gevers <elbrus@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, elbrus@debian.org, security@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>:
Bug#752573; Package cacti.
(Tue, 24 Jun 2014 19:57:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Paul Gevers <elbrus@debian.org>:
New Bug report received and forwarded. Copy sent to elbrus@debian.org, security@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>.
(Tue, 24 Jun 2014 19:57:11 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: cacti
Version: 0.8.8b+dfsg-5
Severity: grave
Tags: security patch upstream pending
Justification: user security hole
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cacti upstream's svn [1] has a fix for CVE-2014-4002. I couldn't find
any information yet elsewhere. I can only guess that also the change
before this revision is also involved [2].
I will add this to my current update for cacti (in progress).
[1] http://svn.cacti.net/viewvc?view=rev&revision=7452
[2] http://svn.cacti.net/viewvc?view=rev&revision=7451
- -- System Information:
Debian Release: 7.5
APT prefers stable
APT policy: (500, 'stable'), (99, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages cacti depends on:
ii dbconfig-common 1.8.47+nmu1
ii debconf [debconf-2.0] 1.5.49
ii libapache2-mod-php5 5.4.4-14+deb7u11
ii libphp-adodb 5.15-1
ii mysql-client-5.5 [virtual-mysql-client] 5.5.37-0+wheezy1
ii perl 5.14.2-21+deb7u1
ii php5-cli 5.4.4-14+deb7u11
ii php5-mysql 5.4.4-14+deb7u11
ii php5-snmp 5.4.4-14+deb7u11
ii rrdtool 1.4.7-2
ii snmp 5.4.3~dfsg-2.8
ii ucf 3.0025+nmu3
Versions of packages cacti recommends:
ii apache2-mpm-prefork [httpd] 2.2.22-13+deb7u1
ii iputils-ping 3:20101006-1+b1
ii libjs-jquery 1.7.2+dfsg-1
ii libjs-jquery-cookie 9-1
ii lighttpd [httpd] 1.4.31-4+deb7u3
ii logrotate 3.8.1-4
ii mysql-server 5.5.37-0+wheezy1
Versions of packages cacti suggests:
ii moreutils 0.47
pn php5-ldap <none>
- -- debconf information excluded
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBCAAGBQJTqdeoAAoJEJxcmesFvXUKfCsH+waGVLE0MhVourtuswP5Dzmb
XNiDG22yZWv2n8l118vK8+5pmY2UsZGDuIOA7vME611flPUa2QhAKuXd9Y4znlg5
LFeMLJ2mSPdSr+YGqly1ToA9iMiYHh44mZIDCiXBdn7wpP1NBkAToZyvN2Etze89
lVfWkTTbWpkU5T3IQLqhZ8reRHWvfex4msjNNfjB+Y4gphd5MTm+tHh+8/YA59LG
/L+Dgr25dEMDJG0v47wGqQ9ACRtL5ZtoOzY4R8HY3FO1xY0QIO6qh9ICSG/8O3eb
ip8/tNynGcHfGLXVJiRzbxxHnnihwKacKp5gmrgDPmmZhmGduFTy9m3gsEEGdL4=
=rPL2
-----END PGP SIGNATURE-----
Reply sent
to Paul Gevers <elbrus@debian.org>:
You have taken responsibility.
(Wed, 25 Jun 2014 21:36:19 GMT) (full text, mbox, link).
Notification sent
to Paul Gevers <elbrus@debian.org>:
Bug acknowledged by developer.
(Wed, 25 Jun 2014 21:36:19 GMT) (full text, mbox, link).
Message #10 received at 752573-close@bugs.debian.org (full text, mbox, reply):
Source: cacti
Source-Version: 0.8.8b+dfsg-6
We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 752573@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Paul Gevers <elbrus@debian.org> (supplier of updated cacti package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 25 Jun 2014 22:33:53 +0200
Source: cacti
Binary: cacti
Architecture: source all
Version: 0.8.8b+dfsg-6
Distribution: unstable
Urgency: high
Maintainer: Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
Changed-By: Paul Gevers <elbrus@debian.org>
Description:
cacti - web interface for graphing of monitoring systems
Closes: 742768 744067 752573
Changes:
cacti (0.8.8b+dfsg-6) unstable; urgency=high
.
* Add alternative php5-mysql | php5-mysqlnd (Closes: #744067)
* Security update (Closes: #742768, #752573)
- CVE-2014-2327 Cross Site Request Forgery Vulnerability
- CVE-2014-4002 Cross-Site Scripting Vulnerability
Checksums-Sha1:
cb0087d5f3770dea819440882c268c754ae0f0e3 1655 cacti_0.8.8b+dfsg-6.dsc
5a34a582d9c8677518a33234a4ad1ac8024ee61a 103284 cacti_0.8.8b+dfsg-6.debian.tar.xz
7b62b650d11502daed7091fbd7985634bfd59f54 1892594 cacti_0.8.8b+dfsg-6_all.deb
Checksums-Sha256:
f72c1022c8497784322e9bb3db94bff0f72ddbe2f38acfbc9f894236741a86d4 1655 cacti_0.8.8b+dfsg-6.dsc
18433ea70e341eff55c005ff1796018f546fa53ed1159e2cd69ec1c9a96168ec 103284 cacti_0.8.8b+dfsg-6.debian.tar.xz
ab5ab0a70f308814acb5f2fdb3b32e398e47567e005065d9fd3d60748470a7aa 1892594 cacti_0.8.8b+dfsg-6_all.deb
Files:
0aa31425f144e81ad972e6ec0aff7d9f 1892594 web extra cacti_0.8.8b+dfsg-6_all.deb
6de034dfcb0d7ecf5e6978bf61d9b45c 1655 web extra cacti_0.8.8b+dfsg-6.dsc
c06386ec36c90e07234da262dc2136e4 103284 web extra cacti_0.8.8b+dfsg-6.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBCAAGBQJTqzRsAAoJEJxcmesFvXUKseAIAKKzrFxl91WYCof/mF8pxeD9
OjOumQOUH/BSNDfsgou3Vk/hVsiMOZroSaEuTYDznfJPa1ajkFENHL5AySAD44xK
sdlHBlpDkp/KexgKBBV+2zxdokjk7BZrfVtJowEkfbVhTOErK+KnUhXmj3sK4tvi
sCQQQS4QNL8iRHVnMKuOQge3YKLiM9uWyA/fjS3LRqNCdNasvknWk2r+9xLBx4uK
wdmeYubm3oCjc+zWmq9RrhYIYTw0RKyXzk3EqPJHcsGeqsnIk6uYtYch014SRune
3XJWYF3Zj6cShJtFkwyEz/GxesSBs7E5ec/BduJKPzJqb8q24MzYsOtD7jH1AR0=
=2G1F
-----END PGP SIGNATURE-----
Reply sent
to Paul Gevers <elbrus@debian.org>:
You have taken responsibility.
(Fri, 04 Jul 2014 07:54:28 GMT) (full text, mbox, link).
Notification sent
to Paul Gevers <elbrus@debian.org>:
Bug acknowledged by developer.
(Fri, 04 Jul 2014 07:54:28 GMT) (full text, mbox, link).
Message #15 received at 752573-close@bugs.debian.org (full text, mbox, reply):
Source: cacti
Source-Version: 0.8.8a+dfsg-5+deb7u3
We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 752573@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Paul Gevers <elbrus@debian.org> (supplier of updated cacti package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 26 Jun 2014 21:01:50 +0200
Source: cacti
Binary: cacti
Architecture: source all
Version: 0.8.8a+dfsg-5+deb7u3
Distribution: wheezy-security
Urgency: high
Maintainer: Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
Changed-By: Paul Gevers <elbrus@debian.org>
Description:
cacti - web interface for graphing of monitoring systems
Closes: 742768 743565 752573
Changes:
cacti (0.8.8a+dfsg-5+deb7u3) wheezy-security; urgency=high
.
* Security upload (Closes: #742768, #743565, #752573)
- CVE-2014-2326 Cross-site scripting (XSS) vulnerability
- CVE-2014-2327 Cross Site Request Forgery Vulnerability
- CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
- CVE-2014-2708 SQL injection
- CVE-2014-2709 Unspecified Remote Command Execution Vulnerability
- CVE-2014-4002 Cross-Site Scripting Vulnerability
Checksums-Sha1:
9acdcd6e9e6b16603e2ee400197df3282a1e6b83 1683 cacti_0.8.8a+dfsg-5+deb7u3.dsc
1d3cc0a0c7ce926893644967ee151c4c4bc65466 121095 cacti_0.8.8a+dfsg-5+deb7u3.debian.tar.gz
49ce8a79add38a77e69a23f885df62888c8dcb3e 2147332 cacti_0.8.8a+dfsg-5+deb7u3_all.deb
Checksums-Sha256:
329bd24accebeab86ac701788a092b090454d80ec69c9c05d8ba0e2a13a7cb93 1683 cacti_0.8.8a+dfsg-5+deb7u3.dsc
c105e1fd8d185a26308343a0c2575fb350aa7555bf61da488a63ff40a3b183d5 121095 cacti_0.8.8a+dfsg-5+deb7u3.debian.tar.gz
8c9606571c58b135d3320ebf1222f924badd5172915dd69966c373467ab573e2 2147332 cacti_0.8.8a+dfsg-5+deb7u3_all.deb
Files:
724367875a4e43438b532c33cb59d853 1683 web extra cacti_0.8.8a+dfsg-5+deb7u3.dsc
8237f1100ca61743de8e0e4b2e5f2fab 121095 web extra cacti_0.8.8a+dfsg-5+deb7u3.debian.tar.gz
80c20926bb4e0502b0aae27d767631e0 2147332 web extra cacti_0.8.8a+dfsg-5+deb7u3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBCAAGBQJTrV5RAAoJEJxcmesFvXUKMGgH/jYf08AmZzl0hsK7UIengiAi
iN1twNHRlyPfL1/YkirbQFHpPHeas49VbEN5geqMbSLHRRyfJ/ftz7w33Oxt20ON
GSWHNSAcT9GXjhe8LuAZlxRFnf7No70K0hRJ91yEeHrA/lbtpgInIcwot9yyKZDk
xmxNf+uPk0ultoTC6JxoSVaDwyj/GxCH9Dzy86sq3DSByhEk+4NYAs6WsXfFIMuj
aQqf1rUwIlHWA3+Hfr0qfRozEKKJFcoZaqZkFjbBQ9ueDUV03qmWeog1n7ujkCkf
D7Kerx+u7XPcuOgFKCs1DPHIWkAjHLA+Y03yJTPtE/5p2G6ENI85UCoTlLXu5KU=
=TD4G
-----END PGP SIGNATURE-----
Reply sent
to Paul Gevers <elbrus@debian.org>:
You have taken responsibility.
(Sat, 05 Jul 2014 17:21:10 GMT) (full text, mbox, link).
Notification sent
to Paul Gevers <elbrus@debian.org>:
Bug acknowledged by developer.
(Sat, 05 Jul 2014 17:21:10 GMT) (full text, mbox, link).
Message #20 received at 752573-close@bugs.debian.org (full text, mbox, reply):
Source: cacti
Source-Version: 0.8.7g-1+squeeze4
We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 752573@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Paul Gevers <elbrus@debian.org> (supplier of updated cacti package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 05 Jul 2014 11:27:40 +0200
Source: cacti
Binary: cacti
Architecture: source all
Version: 0.8.7g-1+squeeze4
Distribution: squeeze-lts
Urgency: high
Maintainer: Sean Finney <seanius@debian.org>
Changed-By: Paul Gevers <elbrus@debian.org>
Description:
cacti - Frontend to rrdtool for monitoring systems and services
Closes: 742768 743565 752573
Changes:
cacti (0.8.7g-1+squeeze4) squeeze-lts; urgency=high
.
* Security upload (Closes: #742768, #743565, #752573)
- CVE-2014-2326 Cross-site scripting (XSS) vulnerability
- CVE-2014-2327 Cross Site Request Forgery Vulnerability
- CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
- CVE-2014-2708 SQL injection
- CVE-2014-2709 Unspecified Remote Command Execution Vulnerability
- CVE-2014-4002 Cross-Site Scripting Vulnerability
Checksums-Sha1:
0b1a8db6de23388eb333e3f31910e72f35ab512b 1443 cacti_0.8.7g-1+squeeze4.dsc
b88051b333e29b215dacfe07bd1cf684da866c53 59041 cacti_0.8.7g-1+squeeze4.diff.gz
71c19bf1d1ff3d4cbf5d1ef717dbdeaf314bd89b 2098348 cacti_0.8.7g-1+squeeze4_all.deb
Checksums-Sha256:
50961c0bcf6766c9f7493f785f7202fe73bfbfb04b576e5388875f56f846358e 1443 cacti_0.8.7g-1+squeeze4.dsc
1498c3a5ef269942c908a0d9bb24a10a29ebd126c7226c223f52e2171f7c7fb0 59041 cacti_0.8.7g-1+squeeze4.diff.gz
73cea4db7448c4ae2d311937c4f76f9fe2452f4933c7df6b1b6088ecb604b66e 2098348 cacti_0.8.7g-1+squeeze4_all.deb
Files:
5ef9a7d3c7e9753456a923c040276aa8 1443 web extra cacti_0.8.7g-1+squeeze4.dsc
ba7a61ce0ae89d4d19525001d0f98b56 59041 web extra cacti_0.8.7g-1+squeeze4.diff.gz
64be98d1231c4f5ac4a8039a8876cc2a 2098348 web extra cacti_0.8.7g-1+squeeze4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBCAAGBQJTuC2fAAoJEJxcmesFvXUKy4YH/1ETU150OPL6OeHY2EqCbz+4
wMk3kK0hNJv3JpmKlZ2dGdFggSigQTY33CtrR177skN3fjYauoIF+8UVL3BsU7Hg
/9+yMeJWQSGWL0k0NfKSOYGelbswY8yY/rTdBw5INXqaGn7xHaTb6iJ+1IIDKuGu
yxXAMtUpoQn4lJjvkBADPzVl8xE/lyLcNrQFn5owprC28MNGgz1IAGVklhVEj3OB
OFWnYRGCNihhDSW8z1JfLnf+FtUZ2utVsGG2b7JJCGuoAAnOkHQOdfmaq6l5Wq+G
VxA2Aa6S0ABnsJv0aNBMXKRcrutOPU7ElCzdOjNOcDYMyondy5GxwpRzM24XZT0=
=gTIS
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 03 Aug 2014 07:30:44 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:41:27 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon