Hi Emilio On 25-06-16 22:03, Emilio Pozuelo Monfort wrote: >> Just in case somebody starts working on it, I'd like to review proposed >> uploads of cacti to LTS. CVE-2016-2313 was initially wrongly fixed (a >> sledgehammer for a simple nail). CVE-2016-3659 still needs reproducing >> in Debian and a check if the fix by a contributer in the upstream bug >> report is causing other damage. The third CVE has a trivial patch. > > I've had a look at this. I set up cacti on a wheezy VM, and I could reproduce > CVE-2016-3172. However, like you, I couldn't reproduce CVE-2016-3659. I don't > know if we are vulnerable or not, maybe we are and the attack needs some > changes. In any case, I think the fix is very safe, sanitizing parenthesis, so I > think we can just ship it. What do you think? Please see the attached debdiff. The patch for CVE-2016-3659 is accepted by upstream, so should be OK to apply. The issue with CVE-2016-2313 has been resolved upstream, the sledgehammer has been replaced by an appropriate hammer for the size of the nail: https://github.com/Cacti/cacti/commit/6e5f3be49b3f52e30c88ec75a576f89bb72c4e52 I believe CVE-2016-2313 should be included in this fix. Please be advised that since my previous e-mail, I actually created a brute force regression test for cacti, see http://anonscm.debian.org/cgit/pkg-cacti/cacti.git/tree/debian/tests/check-all-pages Paul
Attachment:
signature.asc
Description: OpenPGP digital signature