Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 582996 (CVE-2016-3659)

Summary: <net-analyzer/cacti-0.8.8h: SQL injection vulnerability in graph_view.php (CVE-2016-3659)
Product: Gentoo Security Reporter: Jeroen Roovers (RETIRED) <jer>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: netmon
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3659
Whiteboard: C2 [glsa cve]
Package list:
Runtime testing required: ---

Description Jeroen Roovers (RETIRED) gentoo-dev 2016-05-14 09:46:55 UTC 
Release Notes - 0.8.8h

Changelog

bug:0002656: Authentication using web authentication as a user not in the cacti database allows complete access (regression)
bug:0002667: Cacti SQL Injection Vulnerability
bug:0002666: When click the [Clear] button after clicking the [Refresh] button in Preview Mode , fails to CSRFcheck
bug:0002673: CVE-2016-3659 - Cacti graph_view.php SQL Injection Vulnerability
bug:0002676: Outdated MIBs for non-unicast packets
bug:0002677: Index is a MySQL 5.6 reserved word
bug:0002681: generate_graph_def_name() generates reserved word "cf"
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2016-05-14 09:51:21 UTC 
Arch teams, please test and mark stable:

=net-analyzer/cacti-0.8.8h
Targeted stable KEYWORDS : alpha amd64 hppa sparc x86

=net-analyzer/cacti-spine-0.8.8h
Targeted stable KEYWORDS : amd64 hppa sparc x86
Comment 2 Agostino Sarubbo gentoo-dev 2016-05-14 22:22:24 UTC 
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2016-05-14 22:24:04 UTC 
x86 stable
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2016-05-17 05:21:47 UTC 
Stable for HPPA.
Comment 5 Tobias Klausmann (RETIRED) gentoo-dev 2016-05-21 08:53:44 UTC 
Stable on alpha.
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2016-06-30 13:51:26 UTC 
Added to existing GLSA.
Comment 7 Agostino Sarubbo gentoo-dev 2016-07-08 10:06:49 UTC 
sparc stable.

Maintainer(s), please cleanup.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2016-07-16 13:17:08 UTC 
This issue was resolved and addressed in
 GLSA 201607-05 at https://security.gentoo.org/glsa/201607-05
by GLSA coordinator Aaron Bauman (b-man).
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2016-07-16 13:18:01 UTC 
@maintainer(s), reopening for cleanup.  Please clean the vulnerable versions.
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2016-07-16 19:50:09 UTC 
Readding SPARC for

=net-analyzer/cacti-spine-0.8.8h
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2016-09-10 00:47:04 UTC 
(In reply to Jeroen Roovers from comment #10)
> Readding SPARC for
> 
> =net-analyzer/cacti-spine-0.8.8h

net-analyzer/cacti: sparc stable wrt bug #582996 
Agostino Sarubbo, Fri, 8 Jul 2016 06:00, commit d09843a7

Arches and Maintainer(s), Thank you for your work.
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2016-09-10 06:02:20 UTC 
Keywords for net-analyzer/cacti-spine:
       | a a a h i p p s x m a m n r s s | e u s | r
       | l m r p a p p p 8 i r 6 i i 3 h | a n l | e
       | p d m p 6 c c a 6 p m 8 o s 9   | p u o | p
       | h 6   a 4   6 r   s 6 k s c 0   | i s t | o
       | a 4         4 c     4   2 v     |   e   |
       |                                 |   d   |
-------+---------------------------------+-------+-------
0.8.8e | o + o + o ~ ~ + + o o o o o o o | 5 o 0 | gentoo
0.8.8h | o + o + o ~ ~ ~ + o o o o o o o | 5 o   | gentoo
Comment 13 Agostino Sarubbo gentoo-dev 2016-09-29 09:25:11 UTC 
I missed cacti-spine, sorry, I will do it now.
Comment 14 Agostino Sarubbo gentoo-dev 2016-09-29 09:35:19 UTC 
sparc stable.

Maintainer(s), please cleanup.
Comment 15 Aaron Bauman (RETIRED) gentoo-dev 2016-10-10 11:37:42 UTC 
@maintainer(s), while it is not vulnerable it should still be cleaned for consistency and I assume it is obsolete concerning version mismatches:

=net-analyzer/cacti-spine-0.8.8e
Comment 16 Jeroen Roovers (RETIRED) gentoo-dev 2016-10-10 15:22:43 UTC 
(In reply to Aaron Bauman from comment #15)
> @maintainer(s), while it is not vulnerable it should still be cleaned for
> consistency and I assume it is obsolete concerning version mismatches:

what?
Comment 17 Aaron Bauman (RETIRED) gentoo-dev 2016-11-26 05:24:39 UTC 
Tree is clean.