708938 – (CVE-2020-7106, CVE-2020-7237) <net-analyzer/cacti-1.2.9: multiple vulnerabilities (CVE-2020-{7106,7237})

Bug 708938 (CVE-2020-7106, CVE-2020-7237) - <net-analyzer/cacti-1.2.9: multiple vulnerabilities (CVE-2020-{7106,7237})

Summary: <net-analyzer/cacti-1.2.9: multiple vulnerabilities (CVE-2020-{7106,7237})

Status:	RESOLVED FIXED

Alias:	CVE-2020-7106, CVE-2020-7237

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:	B2 [glsa+ cve]
Keywords:

Depends on:
Blocks:

Reported:	2020-02-10 08:46 UTC by Jeroen Roovers (RETIRED)
Modified:	2020-05-04 09:43 UTC (History)
CC List:	1 user (show)

See Also:	720918
Package list:	=net-analyzer/cacti-1.2.9 =net-analyzer/cacti-spine-1.2.9
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jeroen Roovers (RETIRED) gentoo-dev

2020-02-10 08:46:56 UTC

1.2.9
-security#3191: Lack of escaping on some pages can lead to XSS exposure (CVE-2020-7106)
-security#3201: Remote Code Execution due to input validation failure in Performance Boost Debug Log (CVE-2020-7237)

Comment 1 Agostino Sarubbo gentoo-dev

2020-02-11 09:44:51 UTC

sparc stable

Comment 2 Agostino Sarubbo gentoo-dev

2020-02-11 09:53:50 UTC

x86 stable

Comment 3 Agostino Sarubbo gentoo-dev

2020-02-11 11:11:07 UTC

amd64 stable

Comment 4 Larry the Git Cow gentoo-dev

2020-02-13 10:35:11 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ddd89a3987df99d3797ae3d4f03b9aeb4049ff62

commit ddd89a3987df99d3797ae3d4f03b9aeb4049ff62
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-02-13 10:32:36 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-02-13 10:35:07 +0000

    net-analyzer/cacti-spine: Old
    
    Package-Manager: Portage-2.3.88, Repoman-2.3.20
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=708938
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-analyzer/cacti-spine/Manifest                 |  1 -
 net-analyzer/cacti-spine/cacti-spine-1.2.8.ebuild | 52 -----------------------
 2 files changed, 53 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=77a2f6f4e30b729ae516e23615d30d5c9a92a7e1

commit 77a2f6f4e30b729ae516e23615d30d5c9a92a7e1
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-02-13 10:31:21 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-02-13 10:35:07 +0000

    net-analyzer/cacti: Old
    
    Package-Manager: Portage-2.3.88, Repoman-2.3.20
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=708938
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-analyzer/cacti/Manifest           |  1 -
 net-analyzer/cacti/cacti-1.2.8.ebuild | 48 -----------------------------------
 2 files changed, 49 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c79b50b700bace569c616c23cb3e573569495cf6

commit c79b50b700bace569c616c23cb3e573569495cf6
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-02-13 10:30:15 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-02-13 10:35:07 +0000

    net-analyzer/cacti: Stable for HPPA
    
    Package-Manager: Portage-2.3.88, Repoman-2.3.20
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=708938
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-analyzer/cacti/cacti-1.2.9.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=657c24e8e1ff8667f7e3dba249b804aa55c4ade9

commit 657c24e8e1ff8667f7e3dba249b804aa55c4ade9
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-02-13 10:28:46 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-02-13 10:35:07 +0000

    net-analyzer/cacti-spine: Stable for HPPA
    
    Package-Manager: Portage-2.3.88, Repoman-2.3.20
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=708938
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-analyzer/cacti-spine/cacti-spine-1.2.9.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2020-03-19 16:24:55 UTC

New GLSA request filed.

Comment 6 GLSAMaker/CVETool Bot gentoo-dev

2020-03-19 16:31:13 UTC

This issue was resolved and addressed in
 GLSA 202003-40 at https://security.gentoo.org/glsa/202003-40
by GLSA coordinator Thomas Deutschmann (whissi).