Summary: | <net-analyzer/cacti-0.8.8b: SQL and Command Injection Vulnerabilities (CVE-2013-{1434,1435}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | axiator, jmbsvicetto, netmon |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/54386/ | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 482424 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2013-08-07 18:55:12 UTC
I've bumped cacti on my overlay to 0.8.8b. I'll add it to the tree tomorrow if the maintainer doesn't get to it before me. I've added the ebuild to the tree. Since I see no CVE references here and I have at least one oss-security email requesting them without reply, I'm adding the following snippet from another oss-security thread so someone can confirm if these are the CVE identifiers that should be used for this case: From Giuseppe Iuculano iuculano AT debian DOT org The Debian Security Team had assigned the following CVEs: CVE-2013-1434: for the SQL injection issues, fixed by http://svn.cacti.net/viewvc?view=rev&revision=7394 CVE-2013-1435: for the shell escaping issues, fixed by http://svn.cacti.net/viewvc?view=rev&revision=7392 and http://svn.cacti.net/viewvc?view=rev&revision=7393 Those CVEs appear to be correct. Let's hold off on stabilizing for a bit, though, since a couple more Cacti CVEs just got issued this morning. CVE-2013-1435 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1435): (1) snmp.php and (2) rrd.php in Cacti before 0.8.8b allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors. CVE-2013-1434 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1434): Multiple SQL injection vulnerabilities in (1) api_poller.php and (2) utility.php in Cacti before 0.8.8b allow remote attackers to execute arbitrary SQL commands via unspecified vectors. Added to existing GLSA draft This issue was resolved and addressed in GLSA 201401-20 at http://security.gentoo.org/glsa/glsa-201401-20.xml by GLSA coordinator Sean Amoss (ackle). |