From ${URL} : Unspecified SQL Injection and Location header injection vulnerability has been reported and fixed in Cacti. Original report: http://seclists.org/fulldisclosure/2015/Jun/19 Upstream bug: http://bugs.cacti.net/view.php?id=2571 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Arch teams, please test and mark stable: =net-analyzer/cacti-0.8.8d Targeted stable KEYWORDS : alpha amd64 hppa ppc ppc64 sparc x86 =net-analyzer/cacti-spine-0.8.8d Targeted stable KEYWORDS : amd64 x86
Second try: Arch teams, please test and mark stable: =net-analyzer/cacti-0.8.8d Targeted stable KEYWORDS : alpha amd64 hppa sparc x86 =net-analyzer/cacti-spine-0.8.8d Targeted stable KEYWORDS : amd64 x86
amd64 stable
x86 stable
(In reply to Agostino Sarubbo from comment #3) > amd64 stable No. (In reply to Agostino Sarubbo from comment #4) > x86 stable No.
I guess I rushed cacti-spine there. More changes were needed: Arch teams, please test and mark stable: =net-analyzer/cacti-0.8.8d Targeted stable KEYWORDS : alpha amd64 hppa sparc x86 =net-analyzer/cacti-spine-0.8.8d-r1 Targeted stable KEYWORDS : amd64 x86
(In reply to Jeroen Roovers from comment #5) > (In reply to Agostino Sarubbo from comment #3) > > amd64 stable > > No. > > (In reply to Agostino Sarubbo from comment #4) > > x86 stable > > No. Sorry, I missed cacti-spine. It is now stable for amd64 and x86
Stable for HPPA.
sparc stable
CVE-2015-4454 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4454): SQL injection vulnerability in the get_hash_graph_template function in lib/functions.php in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via the graph_template_id parameter to graph_templates.php. CVE-2015-4342 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4342): SQL injection vulnerability in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via unspecified vectors involving a cdef id. CVE-2015-2665 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2665): Cross-site scripting (XSS) vulnerability in Cacti before 0.8.8d allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
alpha stable
Arches and Maintainer(s), Thank you for your work. GLSA Vote: No
GLSA Vote: No