Debian Bug report logs -
#429224
[CVE-2007-3112, CVE-2007-3113] post-authentication DoS
Reported by: Florian Weimer <fw@deneb.enyo.de>
Date: Sat, 16 Jun 2007 11:00:01 UTC
Severity: normal
Tags: patch, security
Fixed in version cacti/0.8.6j-1.1
Done: Steffen Joeris <white@security.skolelinux.no>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, sean finney <seanius@debian.org>:
Bug#429224; Package cacti.
(full text, mbox, link).
Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
New Bug report received and forwarded. Copy sent to sean finney <seanius@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: cacti
Tags: security
Two (apparently) related post-authentication DoS bugs have been
disclosed in cacti:
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3112>
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3113>
(I'm not sure if those warrant a security update for stable.)
Please mention the respective names in the changelog when fixing these
bugs.
Information forwarded to debian-bugs-dist@lists.debian.org, sean finney <seanius@debian.org>:
Bug#429224; Package cacti.
(full text, mbox, link).
Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to sean finney <seanius@debian.org>.
(full text, mbox, link).
Message #10 received at 429224@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi
I attached an NMU, including upstream's patch to fix this DoS.
Do you want me to upload this NMU or do you want to take care of this
yourself?
Enjoy the rest of your holidays :)
Cheers
Steffen
[nmu.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]
Tags added: patch
Request was from Steffen Joeris <steffen.joeris@skolelinux.de>
to control@bugs.debian.org.
(Fri, 03 Aug 2007 12:24:08 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#429224; Package cacti.
(full text, mbox, link).
Acknowledgement sent to sean finney <seanius@debian.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #17 received at 429224@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
hey steffen,
go ahead and NMU this, i won't have enough time to get to this for another
week or so otherwise.
thanks,
sean
On Friday 03 August 2007 02:23:05 pm Steffen Joeris wrote:
> Hi
>
> I attached an NMU, including upstream's patch to fix this DoS.
> Do you want me to upload this NMU or do you want to take care of this
> yourself?
> Enjoy the rest of your holidays :)
>
> Cheers
> Steffen
[signature.asc (application/pgp-signature, inline)]
Reply sent to Steffen Joeris <white@security.skolelinux.no>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Florian Weimer <fw@deneb.enyo.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #22 received at 429224-close@bugs.debian.org (full text, mbox, reply):
Source: cacti
Source-Version: 0.8.6j-1.1
We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive:
cacti_0.8.6j-1.1.diff.gz
to pool/main/c/cacti/cacti_0.8.6j-1.1.diff.gz
cacti_0.8.6j-1.1.dsc
to pool/main/c/cacti/cacti_0.8.6j-1.1.dsc
cacti_0.8.6j-1.1_all.deb
to pool/main/c/cacti/cacti_0.8.6j-1.1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 429224@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steffen Joeris <white@security.skolelinux.no> (supplier of updated cacti package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 3 Aug 2007 19:27:17 +0200
Source: cacti
Binary: cacti
Architecture: source all
Version: 0.8.6j-1.1
Distribution: unstable
Urgency: high
Maintainer: sean finney <seanius@debian.org>
Changed-By: Steffen Joeris <white@security.skolelinux.no>
Description:
cacti - Frontend to rrdtool for monitoring systems and services
Closes: 429224
Changes:
cacti (0.8.6j-1.1) unstable; urgency=high
.
* Non-maintainer upload with the permission of the maintainer
* Fix DoS caused by large values passed to the graph_height,
graph_width, graph_start and graph_end parameter parameters
(Closes: #429224) Fixes: CVE-2007-3112, CVE-2007-3113
Files:
71970460da70b55e2da32d561d29a68f 581 web extra cacti_0.8.6j-1.1.dsc
94024d53937adfe7f6e993d7c0102426 32921 web extra cacti_0.8.6j-1.1.diff.gz
316900d2bed5f3940ba36bc6c5b09ae4 963652 web extra cacti_0.8.6j-1.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGs2do62zWxYk/rQcRAqkqAJ9B2zDYAt1aJmxR2NPep3FfjawlTQCfXG4d
xCsC7W4sOhwzCPy4K5DuzEg=
=EmIB
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 05 Sep 2007 07:27:32 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:00:04 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon