Summary: | <net-analyzer/cacti-0.8.8b-r2: SQL and XSS vulnerabilities (CVE-2013-{5588,5589}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Chris Reffett (RETIRED) <creffett> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | jmbsvicetto, mike, netmon |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2013/08/25/1 | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 480196 |
Description
Chris Reffett (RETIRED)
2013-08-25 14:20:58 UTC
I just added cacti-0.8.8b-r1 added to the tree with the patches. Sounds good. @netmon: do we need to stabilize anything besides cacti and cacti-spine, and are we good to stabilize those? Please consider the patch by gandalf (Developer) listed in this forum page: http://forums.cacti.net/viewtopic.php?f=21&t=50645 Specifically: http://forums.cacti.net/download/file.php?id=28145 Without it, graph previews using COMMENT fields break after upgrade from 0.8.8a. This patch really needs to go into the 0.8.8b ebuild to avoid a regression. CVE-2013-5589 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5589): SQL injection vulnerability in cacti/host.php in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. CVE-2013-5588 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5588): Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the step parameter to install/index.php or (2) the id parameter to cacti/host.php. (In reply to Reuben Farrelly from comment #3) > Please consider the patch by gandalf (Developer) listed in this forum page: > > http://forums.cacti.net/viewtopic.php?f=21&t=50645 > > Specifically: http://forums.cacti.net/download/file.php?id=28145 > > Without it, graph previews using COMMENT fields break after upgrade from > 0.8.8a. This patch really needs to go into the 0.8.8b ebuild to avoid a > regression. I just confirmed the patch works. I had hit this regression, but didn't realize it was a regression. cacti-0.8.8b-r2 is on the way to the tree. (In reply to Jorge Manuel B. S. Vicetto from comment #5) > (In reply to Reuben Farrelly from comment #3) > > Please consider the patch by gandalf (Developer) listed in this forum page: > > > > http://forums.cacti.net/viewtopic.php?f=21&t=50645 > > > > Specifically: http://forums.cacti.net/download/file.php?id=28145 > > > > Without it, graph previews using COMMENT fields break after upgrade from > > 0.8.8a. This patch really needs to go into the 0.8.8b ebuild to avoid a > > regression. > > I just confirmed the patch works. I had hit this regression, but didn't > realize it was a regression. > cacti-0.8.8b-r2 is on the way to the tree. Done Release the arch teams! Arches, please test and mark stable: =net-analyzer/cacti-0.8.8b-r2 Target arches: alpha amd64 hppa sparc x86 amd64 stable Stable for HPPA. x86 stable alpha stable sparc stable GLSA vote: no. Maintainers, please drop vulnerable versions. GLSA vote: no Waiting for cleanup Ping! Maintainer(s), please drop the vulnerable version. --- ChangeLog 2013-09-15 16:15:48.848128397 +0200 +++ ChangeLog.new 2013-12-30 12:38:05.503941317 +0100 @@ -2,6 +2,10 @@ # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2 # $Header: /var/cvsroot/gentoo-x86/net-analyzer/cacti/ChangeLog,v 1.198 2013/09/14 10:40:06 ago Exp $ + 30 Dec 2013; Jeroen Roovers <jer@gentoo.org> -cacti-0.8.7i.ebuild, + -cacti-0.8.8a.ebuild, -cacti-0.8.8b.ebuild, -cacti-0.8.8b-r1.ebuild: + Old. + Maintainer(s), Thank you for your work! GLSA Voting complete = No Closing. |