I recently got in contact with the authors of cacti, so I'm the first gentoo person to see this. Got an email from this not too long ago: ---- Recently the Cacti group had been informed of some serious security issues that would allow for SQL injection and global php variable overwriting. To resolve these issues, we have new release of Cacti 0.8.6e, which includes the security fixes and some minor bug fixes. We will be announcing the new release of Cacti 0.8.6e on Monday June 20th. You can find Cacti 0.8.6e at http://www.cacti.net/downloads/cacti-0.8.6e.tar.gz, which is the standard download location. We hope this will at least be enough time to get the ball rolling for updating related packages in distributions. If you have any questions, please let us know. Thanks, The Cacti Group Tony Roman Cacti Developer ---- Not sure if they want this kind of quiet till the official release, so I'll mark this only visible for security folks. (I noticed they put it on vendor-disclosure).
Adding individual maintainers as aliases don't work on restricted bugs. Eldad/Aaron please attach an updated ebuild to this bug, do NOT commit anything.
FYI, I talked with solar about this and he already just bumped an ebuild in portage (but its masked -*). No mention of why its there was included. I emailed the author to see how quiet he wants this since he was a bit vague on that in the email. I've already upgraded my personal setup at home on x86 and seems to be working fine. Sorry that I didn't include individual folks, I knew I forgot something :-) I'll keep you upprised of any more info from upstream.
Please test and report back success on this bug. Do NOT mark stable. Since it is marked -* I've also called unstable arches.
FYI: If you tried testing this ebuild before this comment, please try again. The author just sent an email stating the tarball has changed with one more minor bug fix. I just updated the digest for it and should hit the rsync mirrors in 30-45min.
works fine on amd64
Works on ppc.
Alpha works.
sparc good. Sorry for the delay on this one.
Let me find out from the cacti authors when we can officially mark this stable and release an announcement.
Looks like it won't be posted till later tonight: --- I still have a few announcements to type up, so hopefully not after 8:00 PM EDT. Either way, keep your eyes on the website for the official announcement before posting the distribution advisories. Regarding Michael's question about a patch URL, I will post the 0.8.6d->0.8.6e security patch to the following URL: http://www.cacti.net/downloads/patches/0.8.6d/cacti_0_8_6e_security.patch Ian
Soon time for GLSA decision on this one. I vote YES.
Its been announced on the cacti site. We're a go to start marking it stable and whatever else you guys do.
This is now public -> opening. maintainers/patchers I think we can commit with target keywords: x86 ~ppc sparc ~alpha ~amd64
I vote YES for GLSA
I'll go ahead and mark these as stated earlier, any objections?
Lance: no.
ramereth please go ahead.
commited
Thx Lance. This one is ready for GLSA. Security please review draft.
Thx everyone. GLSA 200506-20
