From $(URL): Three cross-site scripting vulnerabilities were reported in the Cacti Bugtracker at [1]: - Reflected XSS in the "step" parameter of the "/install/index.php" script - Stored XSS in the id parameter in the "/cacti/host.php" script - "/cacti/host.php" script is vulnerable to Blind SQL Injection in the "id" parameter. Upstream (Cc'ed) has commited r7420[2] and r7421[3] for 0.8.8 and 0.8.9 respectively to fix these issues. [1] http://bugs.cacti.net/view.php?id=2383 [2] http://svn.cacti.net/viewvc?view=rev&revision=7420 [3] http://svn.cacti.net/viewvc?view=rev&revision=7421 Note that incorrect phrasing was used, one is an SQL injection, not an XSS. Patches are available at the above links.
I just added cacti-0.8.8b-r1 added to the tree with the patches.
Sounds good. @netmon: do we need to stabilize anything besides cacti and cacti-spine, and are we good to stabilize those?
Please consider the patch by gandalf (Developer) listed in this forum page: http://forums.cacti.net/viewtopic.php?f=21&t=50645 Specifically: http://forums.cacti.net/download/file.php?id=28145 Without it, graph previews using COMMENT fields break after upgrade from 0.8.8a. This patch really needs to go into the 0.8.8b ebuild to avoid a regression.
CVE-2013-5589 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5589): SQL injection vulnerability in cacti/host.php in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. CVE-2013-5588 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5588): Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the step parameter to install/index.php or (2) the id parameter to cacti/host.php.
(In reply to Reuben Farrelly from comment #3) > Please consider the patch by gandalf (Developer) listed in this forum page: > > http://forums.cacti.net/viewtopic.php?f=21&t=50645 > > Specifically: http://forums.cacti.net/download/file.php?id=28145 > > Without it, graph previews using COMMENT fields break after upgrade from > 0.8.8a. This patch really needs to go into the 0.8.8b ebuild to avoid a > regression. I just confirmed the patch works. I had hit this regression, but didn't realize it was a regression. cacti-0.8.8b-r2 is on the way to the tree.
(In reply to Jorge Manuel B. S. Vicetto from comment #5) > (In reply to Reuben Farrelly from comment #3) > > Please consider the patch by gandalf (Developer) listed in this forum page: > > > > http://forums.cacti.net/viewtopic.php?f=21&t=50645 > > > > Specifically: http://forums.cacti.net/download/file.php?id=28145 > > > > Without it, graph previews using COMMENT fields break after upgrade from > > 0.8.8a. This patch really needs to go into the 0.8.8b ebuild to avoid a > > regression. > > I just confirmed the patch works. I had hit this regression, but didn't > realize it was a regression. > cacti-0.8.8b-r2 is on the way to the tree. Done
Release the arch teams! Arches, please test and mark stable: =net-analyzer/cacti-0.8.8b-r2 Target arches: alpha amd64 hppa sparc x86
amd64 stable
Stable for HPPA.
x86 stable
alpha stable
sparc stable
GLSA vote: no. Maintainers, please drop vulnerable versions.
GLSA vote: no Waiting for cleanup
Ping! Maintainer(s), please drop the vulnerable version.
--- ChangeLog 2013-09-15 16:15:48.848128397 +0200 +++ ChangeLog.new 2013-12-30 12:38:05.503941317 +0100 @@ -2,6 +2,10 @@ # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2 # $Header: /var/cvsroot/gentoo-x86/net-analyzer/cacti/ChangeLog,v 1.198 2013/09/14 10:40:06 ago Exp $ + 30 Dec 2013; Jeroen Roovers <jer@gentoo.org> -cacti-0.8.7i.ebuild, + -cacti-0.8.8a.ebuild, -cacti-0.8.8b.ebuild, -cacti-0.8.8b-r1.ebuild: + Old. +
Maintainer(s), Thank you for your work! GLSA Voting complete = No Closing.
