[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: cacti LTS

Hi Emilio

[By the way, I read debian-lts, so no need to mail me directly, dropped
your To: as well].

On 26-06-16 10:40, Emilio Pozuelo Monfort wrote:
>> I believe CVE-2016-2313 should be included in this fix.
> Certainly! I have backported the fix and included in this new debdiff.

Looks good to me (but I haven't tested).

> Unfortunately I'm not sure how to trigger the bug.

For one thing, you have to change the authentication scheme, (maybe
remove the template, not sure if one is included by default), and log
into cacti with a valid http user (but non-existing cacti user).

> Ah, nice. I don't think we have ci.debian.net running for wheezy, but this can
> be useful to do some basic testing after an update.

It was for the last point that I mentioned it. As cacti before the
current stretch package didn't run out-of-the-box, it would require
additional logic to even work on a CI framework (such as making sure
that the admin password is the same as the cacti/www-data password and
actually configuring the cacti pages). But if cacti works on your VM, it
should be simple to run the test (usually takes several minutes though).
My intention is to add tests for all the CVE's that I fix as well, but
as you can see in the test, I wasn't successful with CVE-2016-3659,
however, a check for CVE-2016-3172 is in.


Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: