[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 1569-1] New cacti packages fix multiple vulnerabilities

Hi Sean,

Sorry for the inconvenience. I did do some superficial testing but indeed I 
have no cacti setup myself so I couldn't test it "live".

There wasn't a bug filed but I'm not sure what your point is with that, giving 
that you were well aware of cacti having these issues given your upload of 
Feb 13th.

In any case, you are most knowledgable about the package, can you suggest the 
patch we use to fix this problem? Then I'll make sure an update is sent out 
as quickly as possible.

cheers,
Thijs

On Monday 5 May 2008 23:53, sean finney wrote:
> hi guys,
>
> as i alerted you on IRC, this update renders cacti unusable.  see:  #479618
> and #479621 .
>
> it's pretty clear that the upload was done without any testing, and
> furthermore without first submitting a bug on the cacti package.  tsk tsk
> :)
>
> 	sean
>
> On Monday 05 May 2008 05:58:54 pm Thijs Kinkhorst wrote:
> > ------------------------------------------------------------------------
> > Debian Security Advisory DSA-1569-1                  security@debian.org
> > http://www.debian.org/security/                          Thijs Kinkhorst
> > May 05, 2008                          http://www.debian.org/security/faq
> > ------------------------------------------------------------------------
> >
> > Package        : cacti
> > Vulnerability  : insufficient input sanitising
> > Problem type   : remote
> > Debian-specific: no
> > CVE Id(s)      : CVE-2008-0783 CVE-2008-0785
> >
> > It was discovered that Cacti, a systems and services monitoring frontend,
> > performed insufficient input sanitising, leading to cross site scripting
> > and SQL injection being possible.
> >
> > For the stable distribution (etch), this problem has been fixed in
> > version 0.8.6i-3.3.
> >
> > For the unstable distribution (sid), this problem has been fixed in
> > version 0.8.7b-1.
> >
> > We recommend that you upgrade your cacti package.
> >
> > Upgrade instructions
> > --------------------
> >
> > wget url
> >         will fetch the file for you
> > dpkg -i file.deb
> >         will install the referenced file.
> >
> > If you are using the apt-get package manager, use the line for
> > sources.list as given below:
> >
> > apt-get update
> >         will update the internal database
> > apt-get upgrade
> >         will install corrected packages
> >
> > You may use an automated update by adding the resources from the
> > footer to the proper configuration.
> >
> >
> > Debian GNU/Linux 4.0 alias etch
> > -------------------------------
> >
> > Source archives:
> >
> >
> > http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6i.orig.ta
> >r. gz Size/MD5 checksum:  1122700 341b5828d95db91f81f5fbba65411d63
> >
> > http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6i-3.3.dif
> >f. gz Size/MD5 checksum:    36683 4b795036336167be4bf6cd2ef2987114
> >  
> > http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6i-3.3.dsc
> > Size/MD5 checksum:      873 74f26b805c7cf676f573000b50230179
> >
> > Architecture independent packages:
> >
> >
> > http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6i-3.3_all
> >.d eb Size/MD5 checksum:   959394 a9d1a594ff7d2386b28296a2c8909cd5
> >
> >
> >   These files will probably be moved into the stable distribution on
> >   its next update.
> >
> > -------------------------------------------------------------------------
> >-- ------ For apt-get: deb http://security.debian.org/ stable/updates main
> > For dpkg-ftp: ftp://security.debian.org/debian-security
> > dists/stable/updates/main Mailing list:
> > debian-security-announce@lists.debian.org
> > Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
Reply to: