[Git][security-tracker-team/security-tracker][master] Reserve DLA-2965-1 for cacti

Tue Mar 29 21:41:11 BST 2022


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7c9280cd by Sylvain Beucler at 2022-03-29T22:40:54+02:00
Reserve DLA-2965-1 for cacti

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -30841,7 +30841,6 @@ CVE-2021-26247 (As an unauthenticated remote user, visit "http://<CACTI_SERVE
 	NOTE: Fixed by: https://github.com/Cacti/cacti/commit/2b8097c06030ab72c5b3bdadb23dceb5332f0e94 (1.2.0-beta1)
 CVE-2021-23225 (Cacti 1.1.38 allows authenticated users with User Management permissio ...)
 	- cacti 1.2.1+ds1-1
-	[stretch] - cacti <postponed> (Minor issue; stored XSS requires prior admin access)
 	NOTE: https://github.com/Cacti/cacti/issues/1882
 	NOTE: overlap with CVE-2020-7106 (registered earlier, but issue above is from 2018) which refactors user_admin.php XSS protection
 	NOTE: input (not output) validation not addressed, malicious username still can be created after fix
@@ -111785,7 +111784,6 @@ CVE-2020-23227
 CVE-2020-23226 (Multiple Cross Site Scripting (XSS) vulneratiblities exist in Cacti 1. ...)
 	- cacti 1.2.13+ds1-1
 	[buster] - cacti <no-dsa> (Minor issues)
-	[stretch] - cacti <no-dsa> (Minor issues; also requires semi-intrusive change to be backported)
 	NOTE: https://github.com/Cacti/cacti/issues/3549
 	NOTE: https://github.com/Cacti/cacti/commit/8d5fbc48debddc91a66b5aed877060566c6b6232 (1.2.13)
 	NOTE: https://github.com/Cacti/cacti/commit/74c011ba8635902713c530ded90bc0a045ca461d (1.2.13)
@@ -135039,7 +135037,6 @@ CVE-2020-13231 (In Cacti before 1.2.11, auth_profile.php?action=edit allows CSRF
 CVE-2020-13230 (In Cacti before 1.2.11, disabling a user account does not immediately  ...)
 	- cacti 1.2.11+ds1-1
 	[buster] - cacti 1.2.2+ds1-2+deb10u3
-	[stretch] - cacti <no-dsa> (Minor issue, Partial patch https://people.debian.org/~abhijith/upload/CVE-2020-13230.patch)
 	NOTE: https://github.com/Cacti/cacti/issues/3343
 CVE-2020-13229 (An issue was discovered in Sysax Multi Server 6.90. A session can be h ...)
 	NOT-FOR-US: Sysax Multi Server
@@ -152106,7 +152103,6 @@ CVE-2020-7106 (Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_i
 	{DLA-2069-1}
 	- cacti 1.2.9+ds1-1 (bug #949996)
 	[buster] - cacti 1.2.2+ds1-2+deb10u3
-	[stretch] - cacti <postponed> (can be fixed along with more important issues)
 	NOTE: https://github.com/Cacti/cacti/issues/3191
 	NOTE: https://github.com/Cacti/cacti/commit/4cbb045e03ee20a2bd09094a201a925fbb8a39d9
 	NOTE: https://github.com/Cacti/cacti/commit/47a000b5aba4af16967e249b25f25397506e3464
@@ -196488,7 +196484,6 @@ CVE-2019-11026 (FontInfoScanner::scanFonts in FontInfo.cc in Poppler 0.75.0 has
 CVE-2019-11025 (In clearFilter() in utilities.php in Cacti before 1.2.3, no escaping o ...)
 	{DLA-1757-1}
 	- cacti 1.2.2+ds1-2 (low; bug #926700)
-	[stretch] - cacti <no-dsa> (Minor issue)
 	NOTE: https://github.com/Cacti/cacti/issues/2581
 	NOTE: https://github.com/Cacti/cacti/commit/c373e66a6a224e221a1db037164144ce59b20736 (v1.2.3)
 CVE-2019-11024 (The load_pnm function in frompnm.c in libsixel.a in libsixel 1.8.2 has ...)
@@ -253380,7 +253375,6 @@ CVE-2018-10074 (The hi3660_stub_clk_probe function in drivers/clk/hisilicon/clk-
 	NOTE: Fixed by: https://git.kernel.org/linus/9903e41ae1f5d50c93f268ca3304d4d7c64b9311 (4.16-rc7)
 CVE-2018-10061 (Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars  ...)
 	- cacti 1.1.37+ds1-1 (low)
-	[stretch] - cacti <no-dsa> (Minor issue)
 	[jessie] - cacti <no-dsa> (Minor issue)
 	[wheezy] - cacti <no-dsa> (Minor issue)
 	NOTE: https://github.com/Cacti/cacti/issues/1457
@@ -253392,7 +253386,6 @@ CVE-2018-10061 (Cacti before 1.1.37 has XSS because it makes certain htmlspecial
 	NOTE: https://github.com/Cacti/cacti/commit/3a76892c178e27ce6e7189fd0ba17581f91154e8 (v1.1.37)
 CVE-2018-10060 (Cacti before 1.1.37 has XSS because it does not properly reject uninte ...)
 	- cacti 1.1.37+ds1-1 (low)
-	[stretch] - cacti <no-dsa> (Minor issue)
 	[jessie] - cacti <no-dsa> (Minor issue)
 	[wheezy] - cacti <no-dsa> (Minor issue)
 	NOTE: https://github.com/Cacti/cacti/issues/1457


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[29 Mar 2022] DLA-2965-1 cacti - security update
+	{CVE-2018-10060 CVE-2018-10061 CVE-2019-11025 CVE-2020-7106 CVE-2020-13230 CVE-2020-23226 CVE-2021-23225 CVE-2022-0730}
+	[stretch] - cacti 0.8.8h+ds1-10+deb9u2
 [29 Mar 2022] DLA-2964-1 libdatetime-timezone-perl - new upstream version
 	[stretch] - libdatetime-timezone-perl 1:2.09-1+2022a
 [29 Mar 2022] DLA-2963-1 tzdata - new timezone database


=====================================
data/dla-needed.txt
=====================================
@@ -24,9 +24,6 @@ asterisk (Abhijith PA)
   NOTE: 20220314: Looking on back log no-dsa (abhijith)
   NOTE: 20220322: https://people.debian.org/~abhijith/upload/vda/asterisk_13.14.1~dfsg-2+deb9u6.dsc (abhijith)
 --
-cacti (Sylvain Beucler)
-  NOTE: 20220321: checking postponed vulnerabilities
---
 condor
 --
 firmware-nonfree



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7c9280cd5368da368597f3bcbd5c51f98663df33

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7c9280cd5368da368597f3bcbd5c51f98663df33
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220329/ffbbc03b/attachment-0001.htm>
