[Secure-testing-commits] r48830 - data/CVE
Paul Mathijs Gevers
elbrus at moszumanska.debian.org
Fri Feb 10 08:12:44 UTC 2017
Author: elbrus
Date: 2017-02-10 08:12:43 +0000 (Fri, 10 Feb 2017)
New Revision: 48830
Modified:
data/CVE/list
Log:
CVE: Update comments on cacti CVE-2014-4000 after details from upstream
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-02-10 08:01:47 UTC (rev 48829)
+++ data/CVE/list 2017-02-10 08:12:43 UTC (rev 48830)
@@ -86029,11 +86029,16 @@
RESERVED
CVE-2014-4000 [PHP Object Injection Vulnerabilities]
RESERVED
- - cacti 0.0.8h+ds1-1
+ - cacti 0.8.8e+ds1-1 (low)
+ [jessie] - cacti <unfixed>
+ [wheezy] - cacti <unfixed>
NOTE: http://www.cacti.net/release_notes_1_0_0.php
NOTE: http://bugs.cacti.net/view.php?id=2452 (not accessible: marked as security issue)
NOTE: Upstream responded to inquires and mentioned that the fix was already in 0.8.8h
- NOTE: but just didn't make the changelog. Upstream will provide more details.
+ NOTE: but just didn't make the changelog.
+ NOTE: This CVE was fixed by introduction of the function sanitize_unserialize_selected_items
+ NOTE: in version 0.8.8e and calling it instead of unserialize(stripslashes()).
+ NOTE: Affected files require authenticated users.
CVE-2014-3999 [Stricter parameter check in bind() to detect empty passwords]
RESERVED
- php-horde-ldap 2.0.6-1
More information about the Secure-testing-commits
mailing list