Bug#942524: buster-pu: package graphite-web/1.1.4-3 CVE-2017-18638

To: Thomas Goirand <zigo@debian.org>, 942524@bugs.debian.org
Subject: Bug#942524: buster-pu: package graphite-web/1.1.4-3 CVE-2017-18638
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Thu, 17 Oct 2019 20:49:58 +0100
Message-id: <[🔎] 80822b37a83750eaa81a5ca1c6e04af8dc71ae73.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 942524@bugs.debian.org
In-reply-to: <[🔎] 157132800829.20903.13684859490852958347.reportbug@zbuz.infomaniak.ch>
References: <[🔎] 157132800829.20903.13684859490852958347.reportbug@zbuz.infomaniak.ch> <[🔎] 157132800829.20903.13684859490852958347.reportbug@zbuz.infomaniak.ch>

Control: tags -1 + confirmed

On Thu, 2019-10-17 at 18:00 +0200, Thomas Goirand wrote:
> We would like to update graphite-web to fix 2 issues: the first one
> is
> a message sent every hour if there's no whisper db, and is debian
> specific. The 2nd one is a fix for CVE-2017-18638, where there is
> an SSRF possible attack against graphite-web (the patch just removes
> the send_email route and associated code.
> 

Please go ahead.

Regards,

Adam

Reply to:

References:
- Bug#942524: buster-pu: package graphite-web/1.1.4-3 CVE-2017-18638
  - From: Thomas Goirand <zigo@debian.org>

Prev by Date: Bug#942524: buster-pu: package graphite-web/1.1.4-3 CVE-2017-18638
Next by Date: Processed: Re: Bug#942524: buster-pu: package graphite-web/1.1.4-3 CVE-2017-18638
Previous by thread: Bug#942524: buster-pu: package graphite-web/1.1.4-3 CVE-2017-18638
Next by thread: Processed: Re: Bug#942524: buster-pu: package graphite-web/1.1.4-3 CVE-2017-18638
Index(es):
- Date
- Thread