551728 – (CVE-2015-4342) <net-analyzer/cacti-0.8.8d: SQL Injection and Location header injection from cdef id (CVE-2015-{2665,4342,4454})

Bug 551728 (CVE-2015-4342) - <net-analyzer/cacti-0.8.8d: SQL Injection and Location header injection from cdef id (CVE-2015-{2665,4342,4454})

Summary: <net-analyzer/cacti-0.8.8d: SQL Injection and Location header injection from ...

Status:	RESOLVED FIXED

Alias:	CVE-2015-4342

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	B4 [noglsa/cve]
Keywords:

Depends on:	552030
Blocks:
	Show dependency tree

Reported:	2015-06-11 07:32 UTC by Agostino Sarubbo
Modified:	2015-07-13 14:48 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2015-06-11 07:32:23 UTC

From ${URL} :

Unspecified SQL Injection and Location header injection vulnerability has been reported and fixed in Cacti.

Original report: http://seclists.org/fulldisclosure/2015/Jun/19
Upstream bug: http://bugs.cacti.net/view.php?id=2571


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Jeroen Roovers (RETIRED) gentoo-dev

2015-06-13 05:24:13 UTC

Arch teams, please test and mark stable:
=net-analyzer/cacti-0.8.8d
Targeted stable KEYWORDS : alpha amd64 hppa ppc ppc64 sparc x86

=net-analyzer/cacti-spine-0.8.8d
Targeted stable KEYWORDS : amd64 x86

Comment 2 Jeroen Roovers (RETIRED) gentoo-dev

2015-06-13 05:25:08 UTC

Second try:

Arch teams, please test and mark stable:
=net-analyzer/cacti-0.8.8d
Targeted stable KEYWORDS : alpha amd64 hppa sparc x86

=net-analyzer/cacti-spine-0.8.8d
Targeted stable KEYWORDS : amd64 x86

Comment 3 Agostino Sarubbo gentoo-dev

2015-06-13 10:26:17 UTC

amd64 stable

Comment 4 Agostino Sarubbo gentoo-dev

2015-06-13 10:27:34 UTC

x86 stable

Comment 5 Jeroen Roovers (RETIRED) gentoo-dev

2015-06-13 10:36:39 UTC

(In reply to Agostino Sarubbo from comment #3)
> amd64 stable

No.

(In reply to Agostino Sarubbo from comment #4)
> x86 stable

No.

Comment 6 Jeroen Roovers (RETIRED) gentoo-dev

2015-06-14 08:01:36 UTC

I guess I rushed cacti-spine there. More changes were needed:

Arch teams, please test and mark stable:
=net-analyzer/cacti-0.8.8d
Targeted stable KEYWORDS : alpha amd64 hppa sparc x86

=net-analyzer/cacti-spine-0.8.8d-r1
Targeted stable KEYWORDS : amd64 x86

Comment 7 Agostino Sarubbo gentoo-dev

2015-06-15 08:17:55 UTC

(In reply to Jeroen Roovers from comment #5)
> (In reply to Agostino Sarubbo from comment #3)
> > amd64 stable
> 
> No.
> 
> (In reply to Agostino Sarubbo from comment #4)
> > x86 stable
> 
> No.

Sorry, I missed cacti-spine.

It is now stable for amd64 and x86

Comment 8 Jeroen Roovers (RETIRED) gentoo-dev

2015-06-16 04:32:06 UTC

Stable for HPPA.

Comment 9 Agostino Sarubbo gentoo-dev

2015-06-17 08:52:41 UTC

sparc stable

Comment 10 GLSAMaker/CVETool Bot gentoo-dev

2015-06-20 12:35:58 UTC

CVE-2015-4454 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4454):
  SQL injection vulnerability in the get_hash_graph_template function in
  lib/functions.php in Cacti before 0.8.8d allows remote attackers to execute
  arbitrary SQL commands via the graph_template_id parameter to
  graph_templates.php.

CVE-2015-4342 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4342):
  SQL injection vulnerability in Cacti before 0.8.8d allows remote attackers
  to execute arbitrary SQL commands via unspecified vectors involving a cdef
  id.

CVE-2015-2665 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2665):
  Cross-site scripting (XSS) vulnerability in Cacti before 0.8.8d allows
  remote attackers to inject arbitrary web script or HTML via unspecified
  vectors.

Comment 11 Mikle Kolyada (RETIRED) archtester

2015-06-28 16:16:23 UTC

alpha stable

Comment 12 Yury German Gentoo Infrastructure

2015-06-30 20:35:19 UTC

Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No

Comment 13 Kristian Fiskerstrand (RETIRED) gentoo-dev

2015-06-30 20:36:02 UTC

GLSA Vote: No