Re: cacti CVE-2017-1000031

To: Guido Günther <agx@sigxcpu.org>, team@security.debian.org, debian-lts@lists.debian.org
Cc: Paul Gevers <elbrus@debian.org>
Subject: Re: cacti CVE-2017-1000031
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 21 Jul 2017 10:16:50 +0200
Message-id: <[🔎] 20170721081650.3ntz37qivt27h2xl@lorien.valinor.li>
Mail-followup-to: Guido Günther <agx@sigxcpu.org>, team@security.debian.org, debian-lts@lists.debian.org, Paul Gevers <elbrus@debian.org>
In-reply-to: <[🔎] 20170721080237.vjaznfycldjgpsan@bogon.m.sigxcpu.org>
References: <[🔎] 20170721080237.vjaznfycldjgpsan@bogon.m.sigxcpu.org>

Hi Guido,

On Fri, Jul 21, 2017 at 10:02:37AM +0200, Guido Günther wrote:
> Hi security team,
> I looked at CVE-2017-1000031 yesterday. After failing to exploit it
> via a SQL injection getting "validation errors". I then contacted the
> maintainer Paul Gevers and he replied promptly that this looks like a
> duplicate of CVE-2014-4002. Do you agree that this can be marked as
> not affecting Wheezy (and therefore not Jessie since it has the same
> source in this area)?

Not yet please, and in particular not not-affected but rahter should
be REJECTED if this is the case.

We contacted Paul, some days ago regarding this, and yes there is some
indication that it might be a duplicate of CVE-2014-4002. Still to be
finally checked.

Regards,
Salvatore

Reply to:

References:
- cacti CVE-2017-1000031
  - From: Guido Günther <agx@sigxcpu.org>

Prev by Date: cacti CVE-2017-1000031
Next by Date: Re: help needed to complete regression fix for apache2 Bug#858373
Previous by thread: cacti CVE-2017-1000031
Next by thread: Wheezy update of rbenv?
Index(es):
- Date
- Thread