From ${URL} : SQL Injection of Cacti (0.8.8f and older versions) was discovered in graph.php: Upstream bug: http://bugs.cacti.net/view.php?id=2646 Upstream patch: http://svn.cacti.net/viewvc?view=rev&revision=7767 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Arch teams, please test and mark stable: =net-analyzer/cacti-0.8.8f-r1 Targeted stable KEYWORDS : alpha amd64 hppa sparc x86
Stable on alpha.
amd64 stable
x86 stable
Stable for HPPA.
sparc stable. Maintainer(s), please cleanup. Security, please vote.
Arches, Thank you for your work. GLSA Vote: Yes New GLSA Request filed. Maintainer(s), please drop the vulnerable version(s).
CVE-2015-8377 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8377): SQL injection vulnerability in the host_new_graphs_save function in graphs_new.php in Cacti 0.8.8f and earlier allows remote authenticated users to execute arbitrary SQL commands via crafted serialized data in the selected_graphs_array parameter in a save action.
This issue was resolved and addressed in GLSA 201607-05 at https://security.gentoo.org/glsa/201607-05 by GLSA coordinator Aaron Bauman (b-man).