[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: cacti LTS

Hi Emilio

On 25-06-16 22:03, Emilio Pozuelo Monfort wrote:
>> Just in case somebody starts working on it, I'd like to review proposed
>> uploads of cacti to LTS. CVE-2016-2313 was initially wrongly fixed (a
>> sledgehammer for a simple nail). CVE-2016-3659 still needs reproducing
>> in Debian and a check if the fix by a contributer in the upstream bug
>> report is causing other damage. The third CVE has a trivial patch.
> I've had a look at this. I set up cacti on a wheezy VM, and I could reproduce
> CVE-2016-3172. However, like you, I couldn't reproduce CVE-2016-3659. I don't
> know if we are vulnerable or not, maybe we are and the attack needs some
> changes. In any case, I think the fix is very safe, sanitizing parenthesis, so I
> think we can just ship it. What do you think? Please see the attached debdiff.

The patch for CVE-2016-3659 is accepted by upstream, so should be OK to

The issue with CVE-2016-2313 has been resolved upstream, the
sledgehammer has been replaced by an appropriate hammer for the size of
the nail:

I believe CVE-2016-2313 should be included in this fix.

Please be advised that since my previous e-mail, I actually created a
brute force regression test for cacti, see


Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: