Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 732522 (CVE-2020-11022, CVE-2020-11023) - <net-analyzer/cacti-1.2.13 - multiple vulnerabilities (CVE-2020-11022, CVE-2020-11023)
Summary: <net-analyzer/cacti-1.2.13 - multiple vulnerabilities (CVE-2020-11022, CVE-20...
Status: RESOLVED FIXED
Alias: CVE-2020-11022, CVE-2020-11023
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on:
Blocks: CVE-2020-14295
  Show dependency tree
 
Reported: 2020-07-14 06:11 UTC by Jeroen Roovers (RETIRED)
Modified: 2020-07-29 00:23 UTC (History)
1 user (show)

See Also:
Package list:
=net-analyzer/cacti-1.2.13 =net-analyzer/cacti-spine-1.2.13
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers (RETIRED) gentoo-dev 2020-07-14 06:11:02 UTC
Cacti CHANGELOG

1.2.13
-security#3544: jQuery XSS vulnerabilities require vendor package update (CVE-2020-11022 / CVE-2020-11023)
-security#3549: Lack of escaping on some pages can lead to XSS exposure
-security#3582: Update PHPMailer to 6.1.6 (CVE-2020-13625)
-security#3622: SQL Injection vulnerability due to input validation failure when editing colors (CVE-2020-14295)
-security#3628: Lack of escaping on template import can lead to XSS exposure
Comment 1 Larry the Git Cow gentoo-dev 2020-07-14 06:12:23 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e86246a81503d92e3d8bb47d2719f3cdf0a33a35

commit e86246a81503d92e3d8bb47d2719f3cdf0a33a35
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-07-14 06:10:21 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-07-14 06:12:18 +0000

    net-analyzer/cacti-spine: Version 1.2.13
    
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Bug: https://bugs.gentoo.org/732522
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-analyzer/cacti-spine/Manifest                  |  1 +
 net-analyzer/cacti-spine/cacti-spine-1.2.13.ebuild | 51 ++++++++++++++++++++++
 2 files changed, 52 insertions(+)
Comment 2 NATTkA bot gentoo-dev 2020-07-14 06:12:44 UTC
Unable to check for sanity:

> no match for package: =net-analyzer/cacti-1.2.13
Comment 3 NATTkA bot gentoo-dev 2020-07-14 06:16:50 UTC
All sanity-check issues have been resolved
Comment 4 Rolf Eike Beer 2020-07-15 17:11:23 UTC
sparc stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-07-17 15:17:47 UTC
x86 stable
Comment 6 Sam James archtester gentoo-dev Security 2020-07-19 00:09:51 UTC
amd64 stable. Please cleanup.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2020-07-26 23:29:26 UTC
This issue was resolved and addressed in
 GLSA 202007-03 at https://security.gentoo.org/glsa/202007-03
by GLSA coordinator Sam James (sam_c).
Comment 8 Sam James archtester gentoo-dev Security 2020-07-27 01:10:25 UTC
Reopening for cleanup.
Comment 9 Larry the Git Cow gentoo-dev 2020-07-29 00:19:56 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a682b03e136370d0b875eea46428f955976a9f3d

commit a682b03e136370d0b875eea46428f955976a9f3d
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-07-29 00:19:26 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-29 00:19:39 +0000

    net-analyzer/cacti: security cleanup
    
    Bug: https://bugs.gentoo.org/732522
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Sam James <sam@gentoo.org>

 net-analyzer/cacti/Manifest            |  1 -
 net-analyzer/cacti/cacti-1.2.12.ebuild | 48 ----------------------------------
 2 files changed, 49 deletions(-)