Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 568400 (CVE-2015-8369) - <net-analyzer/cacti-0.8.8f-r1: SQL injection in graph.php (CVE-2015-{8369,8377})
Summary: <net-analyzer/cacti-0.8.8f-r1: SQL injection in graph.php (CVE-2015-{8369,8377})
Status: RESOLVED FIXED
Alias: CVE-2015-8369
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B4 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-12-16 08:30 UTC by Agostino Sarubbo
Modified: 2016-07-16 13:16 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-12-16 08:30:37 UTC
From ${URL} :

SQL Injection of Cacti (0.8.8f and older versions) was discovered in graph.php:

Upstream bug:

http://bugs.cacti.net/view.php?id=2646

Upstream patch:

http://svn.cacti.net/viewvc?view=rev&revision=7767


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2016-02-02 05:12:34 UTC
Arch teams, please test and mark stable:
=net-analyzer/cacti-0.8.8f-r1
Targeted stable KEYWORDS : alpha amd64 hppa sparc x86
Comment 2 Tobias Klausmann (RETIRED) gentoo-dev 2016-02-02 13:20:38 UTC
Stable on alpha.
Comment 3 Agostino Sarubbo gentoo-dev 2016-02-03 16:53:14 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2016-02-03 16:54:51 UTC
x86 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2016-02-05 05:43:45 UTC
Stable for HPPA.
Comment 6 Agostino Sarubbo gentoo-dev 2016-03-19 11:37:27 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2016-04-26 06:11:40 UTC
Arches, Thank you for your work.
GLSA Vote: Yes
New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2016-06-30 13:56:34 UTC
CVE-2015-8377 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8377):
  SQL injection vulnerability in the host_new_graphs_save function in
  graphs_new.php in Cacti 0.8.8f and earlier allows remote authenticated users
  to execute arbitrary SQL commands via crafted serialized data in the
  selected_graphs_array parameter in a save action.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2016-07-16 13:16:45 UTC
This issue was resolved and addressed in
 GLSA 201607-05 at https://security.gentoo.org/glsa/201607-05
by GLSA coordinator Aaron Bauman (b-man).