Re: CVE-2016-2313 fix wrong
- To: debian-lts@lists.debian.org
- Subject: Re: CVE-2016-2313 fix wrong
- From: Emilio Pozuelo Monfort <pochu@debian.org>
- Date: Thu, 1 Sep 2016 00:01:00 +0200
- Message-id: <[🔎] bfac081b-ae65-6f13-01a8-2fac8170aa72@debian.org>
- In-reply-to: <3e90b96e-89e2-09a3-8af1-de5885010fd7@debian.org>
- References: <20160728113542.GA32529@fantomas.sk> <d546132f-a748-5535-353c-6ca83021421d@debian.org> <20160728125909.GB32529@fantomas.sk> <3e90b96e-89e2-09a3-8af1-de5885010fd7@debian.org>
On 29/07/16 20:05, Emilio Pozuelo Monfort wrote:
> On 28/07/16 14:59, Matus UHLAR - fantomas wrote:
>>> On 28/07/16 13:35, Matus UHLAR - fantomas wrote:
>>>> i believe the fix for CVE-2016-2313 in
>>>> CVE-2016-2313-authentication-bypass.patch is invalid.
>>
>> On 28.07.16 14:26, Emilio Pozuelo Monfort wrote:
>>> Thanks for the report. I'll look at it later today.
>>
>> I have posted cacti bug http://bugs.cacti.net/view.php?id=2697
>> and attached patch
>> http://bugs.cacti.net/file_download.php?file_id=1229&type=bug
>>
>> that should fix the issue. The patch is to be applied to "fixed" version
>> in debian
>
> The patch looks sensible to me, but I'd like to give upstream a few days to comment.
>
> BTW you may want to send a pull request at https://github.com/Cacti/cacti
I have just uploaded a fix for this.
Cheers,
Emilio
Reply to: