Re: Bug#881110: cacti: CVE-2017-16641: arbitrary execution of os commands via path_rrdtool parameter in an action=save request

To: Debian Long time support <debian-lts@lists.debian.org>, 881110@bugs.debian.org
Subject: Re: Bug#881110: cacti: CVE-2017-16641: arbitrary execution of os commands via path_rrdtool parameter in an action=save request
From: Paul Gevers <elbrus@debian.org>
Date: Fri, 10 Nov 2017 19:47:22 +0100
Message-id: <[🔎] 491f44f8-9c93-3f5b-35e4-f7908eef4e43@debian.org>
In-reply-to: <151008946723.20211.10438085147826992438.reportbug@eldamar.local>
References: <151008946723.20211.10438085147826992438.reportbug@eldamar.local>

Control: found 881110 0.8.8a+dfsg-5+deb7u10

On 07-11-17 22:17, Salvatore Bonaccorso wrote:
> Please adjust the affected versions in the BTS as needed, only did
> check unstable's version for now source-wise.

All versions in Debian are affected.

Unfortunately the upstream commit contains much unneeded changes to fix
the issue. Additionally for pre-buster fixes, the code in settings.php
is seriously different.

Paul

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Prev by Date: Re: Call for testing: upcoming xen security update
Next by Date: RFC: Peculiar dependency change in graphicsmagick
Previous by thread: Re: Call for testing: upcoming xen security update
Next by thread: RFC: Peculiar dependency change in graphicsmagick
Index(es):
- Date
- Thread