hi guys, as i alerted you on IRC, this update renders cacti unusable. see: #479618 and #479621 . it's pretty clear that the upload was done without any testing, and furthermore without first submitting a bug on the cacti package. tsk tsk :) sean On Monday 05 May 2008 05:58:54 pm Thijs Kinkhorst wrote: > ------------------------------------------------------------------------ > Debian Security Advisory DSA-1569-1 security@debian.org > http://www.debian.org/security/ Thijs Kinkhorst > May 05, 2008 http://www.debian.org/security/faq > ------------------------------------------------------------------------ > > Package : cacti > Vulnerability : insufficient input sanitising > Problem type : remote > Debian-specific: no > CVE Id(s) : CVE-2008-0783 CVE-2008-0785 > > It was discovered that Cacti, a systems and services monitoring frontend, > performed insufficient input sanitising, leading to cross site scripting > and SQL injection being possible. > > For the stable distribution (etch), this problem has been fixed in > version 0.8.6i-3.3. > > For the unstable distribution (sid), this problem has been fixed in > version 0.8.7b-1. > > We recommend that you upgrade your cacti package. > > Upgrade instructions > -------------------- > > wget url > will fetch the file for you > dpkg -i file.deb > will install the referenced file. > > If you are using the apt-get package manager, use the line for > sources.list as given below: > > apt-get update > will update the internal database > apt-get upgrade > will install corrected packages > > You may use an automated update by adding the resources from the > footer to the proper configuration. > > > Debian GNU/Linux 4.0 alias etch > ------------------------------- > > Source archives: > > > http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6i.orig.tar. >gz Size/MD5 checksum: 1122700 341b5828d95db91f81f5fbba65411d63 > > http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6i-3.3.diff. >gz Size/MD5 checksum: 36683 4b795036336167be4bf6cd2ef2987114 > http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6i-3.3.dsc > Size/MD5 checksum: 873 74f26b805c7cf676f573000b50230179 > > Architecture independent packages: > > > http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6i-3.3_all.d >eb Size/MD5 checksum: 959394 a9d1a594ff7d2386b28296a2c8909cd5 > > > These files will probably be moved into the stable distribution on > its next update. > > --------------------------------------------------------------------------- >------ For apt-get: deb http://security.debian.org/ stable/updates main > For dpkg-ftp: ftp://security.debian.org/debian-security > dists/stable/updates/main Mailing list: > debian-security-announce@lists.debian.org > Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
Attachment:
signature.asc
Description: This is a digitally signed message part.