[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2019-16723/cacti: add patches versions

Sylvain Beucler (@beuc) beuc at debian.org
Thu Dec 21 17:38:28 GMT 2023 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
23bdb162 by Sylvain Beucler at 2023-12-21T18:25:50+01:00
CVE-2019-16723/cacti: add patches versions

- - - - -
1a7e573a by Sylvain Beucler at 2023-12-21T18:29:37+01:00
CVE-2023-37543/cacti: buster ignored

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -21747,8 +21747,8 @@ CVE-2023-37625 (A stored cross-site scripting (XSS) vulnerability in Netbox v3.4
 	- netbox <itp> (bug #1017079)
 CVE-2023-37543 (Cacti before 1.2.6 allows IDOR (Insecure Direct Object Reference) for  ...)
 	- cacti 1.2.6+ds1-1
-	[buster] - cacti <no-dsa> (Minor issue)
-	NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-4x82-8w8m-w8hj
+	[buster] - cacti <ignored> (Unclear issue; can only be reproduced by reverting CVE-2019-16723 fixes; probably a different vector of the same vulnerability)
+	NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-4x82-8w8m-w8hj (404)
 	NOTE: https://medium.com/%40hussainfathy99/exciting-news-my-first-cve-discovery-cve-2023-37543-idor-vulnerability-in-cacti-bbb6c386afed
 	NOTE: https://github.com/Cacti/cacti/issues/5523
 	NOTE: Not possible to pinpoint exact fix, but upstream confirms that the fix is in
@@ -304444,17 +304444,17 @@ CVE-2019-16723 (In Cacti through 1.2.6, authenticated users may bypass authoriza
 	[stretch] - cacti <not-affected> (vulnerability introduced later)
 	[jessie] - cacti <not-affected> (vulnerability introduced later)
 	NOTE: vulnerability introduced in
-	NOTE: https://github.com/Cacti/cacti/commit/cf73ae1a9f65b5a27d7f9d10c8e14835c3a76326
+	NOTE: https://github.com/Cacti/cacti/commit/cf73ae1a9f65b5a27d7f9d10c8e14835c3a76326 (release/1.0.0)
 	NOTE: see Debian bug report for more information
 	NOTE: https://github.com/Cacti/cacti/issues/2964
-	NOTE: https://github.com/Cacti/cacti/commit/7a6a17252a1cbda180b61fff244cb3ce797d5264
-	NOTE: https://github.com/Cacti/cacti/commit/c7cf4a26e4848872b48094e67f8d0a01dd7613d2
+	NOTE: https://github.com/Cacti/cacti/commit/7a6a17252a1cbda180b61fff244cb3ce797d5264 (release/1.2.7)
+	NOTE: https://github.com/Cacti/cacti/commit/c7cf4a26e4848872b48094e67f8d0a01dd7613d2 (release/1.2.7)
 	NOTE: after further discussion, upstream issued a new fix which reverts previous commits
-	NOTE: https://github.com/Cacti/cacti/commit/cfb0733597af97abc92270de4f47cbfa32f9ce8b
+	NOTE: https://github.com/Cacti/cacti/commit/cfb0733597af97abc92270de4f47cbfa32f9ce8b (release/1.2.8)
 	NOTE: which turned out to be insufficient to fix the issue, follow up patches:
-	NOTE: https://github.com/Cacti/cacti/commit/9a1d2ec46d2dde23826c134ca70a0cd3bef43ee7
-	NOTE: https://github.com/Cacti/cacti/commit/d5f98679a06aa96adfe04f60908f9108cfc9f7f7
-	NOTE: https://github.com/Cacti/cacti/commit/4cecb19f6be8b84fa1c7b6450b66176007cb53df
+	NOTE: https://github.com/Cacti/cacti/commit/9a1d2ec46d2dde23826c134ca70a0cd3bef43ee7 (release/1.2.8)
+	NOTE: https://github.com/Cacti/cacti/commit/d5f98679a06aa96adfe04f60908f9108cfc9f7f7 (release/1.2.8)
+	NOTE: https://github.com/Cacti/cacti/commit/4cecb19f6be8b84fa1c7b6450b66176007cb53df (release/1.2.8)
 	NOTE: The original issue mentions only a bypass via graph_json.php but there are
 	NOTE: additional permission checks missed while checking the issue fixed with the
 	NOTE: upstream commits.



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/702da29d82f17ff864d63375c457beae4555e6ea...1a7e573aee513e7fc8df567644fa7a3259e5182d

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/702da29d82f17ff864d63375c457beae4555e6ea...1a7e573aee513e7fc8df567644fa7a3259e5182d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231221/f069808f/attachment.htm>

More information about the debian-security-tracker-commits mailing list