Re: [SECURITY] [DLA 2069-1] cacti security update

To: debian-lts@lists.debian.org
Subject: Re: [SECURITY] [DLA 2069-1] cacti security update
From: "Chris Lamb" <lamby@debian.org>
Date: Mon, 27 Jan 2020 12:07:15 +0000
Message-id: <[🔎] 2df1cd13-b29a-41db-90bf-27c5654f9f18@www.fastmail.com>
In-reply-to: <[🔎] 20200119153515.rl2cjspnltgbd6bn@behemoth.owl.eu.com.local>
References: <b9307f56-fc9f-4aab-b4f7-8a44ac66fb52@sloti26t01> <[🔎] 20200119153515.rl2cjspnltgbd6bn@behemoth.owl.eu.com.local>

Hi Hugo et al.,

> > Package        : cacti
> > Version        : 0.8.8b+dfsg-8+deb8u9
> > CVE ID         : CVE-2020-7106
[…]
> a followup patch was just published for CVE-2020-7106[0]. If you want to
> release a regression update, I'd recommend to wait a few days. I would not
> be surprised to see more fixes coming. :-)

Just following up to all of this after giving it time to settle. The
the "followup patch" you refer to, ie:

  https://github.com/Cacti/cacti/commit/47a000b5aba4af16967e249b25f25397506e3464

… refers to code that is not is not present in cacti 0.8.8b and
(unless I missing any other commits I therefore conclude that this CVE
to be resolved in jessie LTS. I have accordingly removed it from the
dla-needed.txt file.

Thanks for your diligence on this. :)


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk
       `-

Reply to:

References:
- Re: [SECURITY] [DLA 2069-1] cacti security update
  - From: Hugo Lefeuvre <hle@debian.org>

Prev by Date: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
Next by Date: RFC: rmadison query in review-update-needed script
Previous by thread: Re: [SECURITY] [DLA 2069-1] cacti security update
Next by thread: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
Index(es):
- Date
- Thread