[Git][security-tracker-team/security-tracker][master] 6 commits: CVE-2023-49085/cacti: reference patch
Sylvain Beucler (@beuc)
beuc at debian.org
Tue Feb 20 13:43:41 GMT 2024
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker
Commits:
40e4289c by Sylvain Beucler at 2024-02-20T13:18:40+01:00
CVE-2023-49085/cacti: reference patch
- - - - -
76b9bb2f by Sylvain Beucler at 2024-02-20T13:18:42+01:00
CVE-2023-49084/cacti: fix patch
- - - - -
8597007f by Sylvain Beucler at 2024-02-20T13:18:44+01:00
cacti: add commit tags
- - - - -
fe197fd8 by Sylvain Beucler at 2024-02-20T13:18:46+01:00
CVE-2023-46490/cacti: drop unrelated patch
According to
https://gist.github.com/ISHGARD-2/a95632111138fcd7ccf7432ccb145b53
this is an SQL injection vulnerability, so patches related to
purify.js are not necessary.
- - - - -
aff19bde by Sylvain Beucler at 2024-02-20T13:50:34+01:00
CVE-2023-50250/cacti: reference patches
- - - - -
2f19f0cd by Sylvain Beucler at 2024-02-20T14:38:47+01:00
CVE-2023-46490,CVE-2023-51448/cacti: probably duplicates, same description (unserialize abuse), same impact (blind SQLi)
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -10592,7 +10592,9 @@ CVE-2023-51448 (Cacti provides an operational monitoring and fault management fr
[bullseye] - cacti <not-affected> (Vulnerable code introduced later; Fix for CVE-2023-30534 not applied)
[buster] - cacti <not-affected> (Vulnerable code introduced later; Fix for CVE-2023-30534 not applied)
NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-w85f-7c4w-7594
+ NOTE: https://github.com/Cacti/cacti/commit/58a980f335980ab57659420053d89d4e721ae3fc (release/1.2.26)
NOTE: Introduced by: https://github.com/Cacti/cacti/commit/7b1ae5bcab3caca020da0080e19ac51c2743adfe (release/1.2.25, CVE-2023-30534)
+ NOTE: Probably duplicate of CVE-2023-46490
CVE-2023-51035 (TOTOLINK EX1200L V9.3.5u.6146_B20201023 is vulnerable to arbitrary com ...)
NOT-FOR-US: TOTOLINK
CVE-2023-51034 (TOTOlink EX1200L V9.3.5u.6146_B20201023 is vulnerable to arbitrary com ...)
@@ -10662,6 +10664,8 @@ CVE-2023-50250 (Cacti is an open source operational monitoring and fault managem
[bullseye] - cacti <not-affected> (Vulnerable code introduced later)
[buster] - cacti <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-xwqc-7jc4-xm73
+ NOTE: https://github.com/Cacti/cacti/commit/58a980f335980ab57659420053d89d4e721ae3fc (release/1.2.26)
+ NOTE: https://github.com/Cacti/cacti/commit/73d9a60e24d6d826e6343b94d833b48c28b68643 (release/1.2.26)
NOTE: Introduced by: https://github.com/Cacti/cacti/commit/27a36d48e1cea172b0750c970324208b39d2bec5 (release/1.2.23)
CVE-2023-50147 (There is an arbitrary command execution vulnerability in the setDiagno ...)
NOT-FOR-US: TOTOLINK
@@ -10686,6 +10690,7 @@ CVE-2023-49088 (Cacti is an open source operational monitoring and fault managem
CVE-2023-49085 (Cacti provides an operational monitoring and fault management framewor ...)
- cacti 1.2.26+ds1-1
NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-vr3c-38wh-g855
+ NOTE: https://github.com/Cacti/cacti/commit/5f451bc680d7584525d18026836af2a1e31b2188 (release/1.2.26)
CVE-2023-48704 (ClickHouse is an open-source column-oriented database management syste ...)
- clickhouse <unfixed> (bug #1059367)
[bookworm] - clickhouse <no-dsa> (Minor issue)
@@ -10806,7 +10811,7 @@ CVE-2023-49086 (Cacti is a robust performance and fault management framework and
CVE-2023-49084 (Cacti is a robust performance and fault management framework and a fro ...)
- cacti 1.2.26+ds1-1 (bug #1059254)
NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp
- NOTE: https://github.com/Cacti/cacti/commit/58a980f335980ab57659420053d89d4e721ae3fc
+ NOTE: https://github.com/Cacti/cacti/commit/5f451bc680d7584525d18026836af2a1e31b2188 (release/1.2.26)
CVE-2023-48723
REJECTED
CVE-2023-48722 (Student Result Management System v1.0 is vulnerable to multiple Unauth ...)
@@ -20638,11 +20643,12 @@ CVE-2023-46490 (SQL Injection vulnerability in Cacti v1.2.25 allows a remote att
- cacti 1.2.26+ds1-1 (bug #1059286)
[bookworm] - cacti <no-dsa> (Revisit when more details are available)
[bullseye] - cacti <no-dsa> (Revisit when more details are available)
+ [buster] - cacti <not-affected> (Vulnerable code introduced later; Fix for CVE-2023-30534 not applied)
NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-f4r3-53jr-654c (not public yet)
NOTE: https://gist.github.com/ISHGARD-2/a95632111138fcd7ccf7432ccb145b53
- NOTE: https://github.com/Cacti/cacti/commit/58a980f335980ab57659420053d89d4e721ae3fc
- NOTE: https://github.com/Cacti/cacti/commit/73d9a60e24d6d826e6343b94d833b48c28b68643
- NOTE: Potentially overlapping with CVE-2023-49084 and CVE-2023-49086
+ NOTE: Checking the above link, this is probably a duplicate of CVE-2023-51448, hence related to CVE-2023-30534
+ NOTE: Duplicate reported at MITRE 2024-02-20 (CVE Request 1607585)
+ NOTE: https://github.com/Cacti/cacti/commit/58a980f335980ab57659420053d89d4e721ae3fc (release/1.2.26)
CVE-2023-46468 (An issue in juzawebCMS v.3.4 and before allows a remote attacker to ex ...)
NOT-FOR-US: juzawebCMS
CVE-2023-46467 (Cross Site Scripting vulnerability in juzawebCMS v.3.4 and before allo ...)
@@ -29416,7 +29422,7 @@ CVE-2023-39516 (Cacti is an open source operational monitoring and fault managem
{DSA-5550-1}
- cacti 1.2.25+ds1-1
NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-r8qq-88g3-hmgv
- NOTE: https://github.com/Cacti/cacti/commit/8d8aeec0eca3be7b10a12e6c2a78e6560bcef43e
+ NOTE: https://github.com/Cacti/cacti/commit/8d8aeec0eca3be7b10a12e6c2a78e6560bcef43e (release/1.2.25)
CVE-2023-39515 (Cacti is an open source operational monitoring and fault management fr ...)
{DSA-5550-1}
- cacti 1.2.25+ds1-1
@@ -29429,7 +29435,7 @@ CVE-2023-39514 (Cacti is an open source operational monitoring and fault managem
[bullseye] - cacti <not-affected> (Vulnerable code not present)
[buster] - cacti <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-6hrc-2cfc-8hm7
- NOTE: https://github.com/Cacti/cacti/commit/8d8aeec0eca3be7b10a12e6c2a78e6560bcef43e
+ NOTE: https://github.com/Cacti/cacti/commit/8d8aeec0eca3be7b10a12e6c2a78e6560bcef43e (release/1.2.25)
NOTE: Introduced by: https://github.com/Cacti/cacti/commit/75c147b70493d188ad85313569f86e33e13988b2 (release/1.2.17)
CVE-2023-39513 (Cacti is an open source operational monitoring and fault management fr ...)
- cacti 1.2.25+ds1-1
@@ -29444,7 +29450,7 @@ CVE-2023-39512 (Cacti is an open source operational monitoring and fault managem
[bullseye] - cacti <not-affected> (Vulnerable code not present)
[buster] - cacti <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-vqcc-5v63-g9q7
- NOTE: https://github.com/Cacti/cacti/commit/8d8aeec0eca3be7b10a12e6c2a78e6560bcef43e
+ NOTE: https://github.com/Cacti/cacti/commit/8d8aeec0eca3be7b10a12e6c2a78e6560bcef43e (release/1.2.25)
NOTE: Introduced by: https://github.com/Cacti/cacti/commit/75c147b70493d188ad85313569f86e33e13988b2 (release/1.2.17)
CVE-2023-39510 (Cacti is an open source operational monitoring and fault management fr ...)
- cacti 1.2.25+ds1-1
@@ -29452,7 +29458,7 @@ CVE-2023-39510 (Cacti is an open source operational monitoring and fault managem
[bullseye] - cacti <not-affected> (Vulnerable code not present)
[buster] - cacti <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-24w4-4hp2-3j8h
- NOTE: https://github.com/Cacti/cacti/commit/c67daa614d91c8592b8792298da8e3aa017c4009
+ NOTE: https://github.com/Cacti/cacti/commit/c67daa614d91c8592b8792298da8e3aa017c4009 (release/1.2.25)
NOTE: Introduced by: https://github.com/Cacti/cacti/commit/26e2dbacf298265ce9e517f6f1f008ec46167b5d (release/1.2.20)
CVE-2023-39366 (Cacti is an open source operational monitoring and fault management fr ...)
- cacti 1.2.25+ds1-1
@@ -29460,7 +29466,7 @@ CVE-2023-39366 (Cacti is an open source operational monitoring and fault managem
[bullseye] - cacti <not-affected> (Vulnerable code not present)
[buster] - cacti <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-rwhh-xxm6-vcrv
- NOTE: https://github.com/Cacti/cacti/commit/c67daa614d91c8592b8792298da8e3aa017c4009
+ NOTE: https://github.com/Cacti/cacti/commit/c67daa614d91c8592b8792298da8e3aa017c4009 (release/1.2.25)
NOTE: Introduced by: https://github.com/Cacti/cacti/commit/befc9005e99fdb44aa4b09b87fadced2f21539a6 (release/1.2.20)
CVE-2023-39365 (Cacti is an open source operational monitoring and fault management fr ...)
{DSA-5550-1}
@@ -29468,23 +29474,23 @@ CVE-2023-39365 (Cacti is an open source operational monitoring and fault managem
NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-v5w7-hww7-2f22
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1499/
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1500/
- NOTE: https://github.com/cacti/cacti/commit/f775c115e9d6e4b6a326eee682af8afebc43f20e
+ NOTE: https://github.com/cacti/cacti/commit/f775c115e9d6e4b6a326eee682af8afebc43f20e (release/1.2.25)
CVE-2023-39364 (Cacti is an open source operational monitoring and fault management fr ...)
{DSA-5550-1}
- cacti 1.2.25+ds1-1
NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-4pjv-rmrp-r59x
- NOTE: https://github.com/Cacti/cacti/commit/05bf9dd89d056c7de9591396d92b25ddf140c0da
+ NOTE: https://github.com/Cacti/cacti/commit/05bf9dd89d056c7de9591396d92b25ddf140c0da (release/1.2.25)
CVE-2023-39362 (Cacti is an open source operational monitoring and fault management fr ...)
{DSA-5550-1}
- cacti 1.2.25+ds1-1
NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp
- NOTE: https://github.com/cacti/cacti/commit/cb9ab92f2580fc6cb9b64ce129655fb15e35d056
- NOTE: https://github.com/Cacti/cacti/commit/ca5a66ceace19a565cae61b484064a06c7b0c3c1
+ NOTE: https://github.com/cacti/cacti/commit/cb9ab92f2580fc6cb9b64ce129655fb15e35d056 (release/1.2.25)
+ NOTE: https://github.com/Cacti/cacti/commit/4c26f39fa3567553192823a5e8096b187bbaddde (release/1.2.25)
CVE-2023-39361 (Cacti is an open source operational monitoring and fault management fr ...)
{DSA-5550-1}
- cacti 1.2.25+ds1-1
NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-6r43-q2fw-5wrg
- NOTE: https://github.com/cacti/cacti/commit/4246aee6310846d0e106bd05279e54fff3765822
+ NOTE: https://github.com/cacti/cacti/commit/4246aee6310846d0e106bd05279e54fff3765822 (release/1.2.25)
CVE-2023-39360 (Cacti is an open source operational monitoring and fault management fr ...)
- cacti 1.2.25+ds1-1
[bookworm] - cacti 1.2.24+ds1-1+deb12u1
@@ -29496,21 +29502,21 @@ CVE-2023-39359 (Cacti is an open source operational monitoring and fault managem
{DSA-5550-1}
- cacti 1.2.25+ds1-1
NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-q4wh-3f9w-836h
- NOTE: https://github.com/cacti/cacti/commit/7459ff57abcd97ab8bc7a19de9e308ca62c17d38
+ NOTE: https://github.com/cacti/cacti/commit/7459ff57abcd97ab8bc7a19de9e308ca62c17d38 (release/1.2.25)
CVE-2023-39358 (Cacti is an open source operational monitoring and fault management fr ...)
- cacti 1.2.25+ds1-1
[bookworm] - cacti 1.2.24+ds1-1+deb12u1
[bullseye] - cacti <not-affected> (Vulnerable code not present)
[buster] - cacti <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-gj95-7xr8-9p7g
- NOTE: https://github.com/cacti/cacti/commit/318c377180039b22970f1f6636aa586d3b84c44d
- NOTE: https://github.com/cacti/cacti/commit/58a2df17c94fda1cdae74613153524ad1a6aae82
+ NOTE: https://github.com/cacti/cacti/commit/318c377180039b22970f1f6636aa586d3b84c44d (release/1.2.25)
+ NOTE: https://github.com/cacti/cacti/commit/58a2df17c94fda1cdae74613153524ad1a6aae82 (release/1.2.25)
NOTE: Introduced by: https://github.com/cacti/cacti/commit/26e2dbacf298265ce9e517f6f1f008ec46167b5d (release/1.2.20)
CVE-2023-39357 (Cacti is an open source operational monitoring and fault management fr ...)
{DSA-5550-1}
- cacti 1.2.25+ds1-1
NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-6jhp-mgqg-fhqg
- NOTE: https://github.com/cacti/cacti/commit/21f6b5c9238b3e8c83f2c9295374d96eb104f21d
+ NOTE: https://github.com/cacti/cacti/commit/21f6b5c9238b3e8c83f2c9295374d96eb104f21d (release/1.2.25)
CVE-2023-36361 (Audimexee v14.1.7 was discovered to contain a SQL injection vulnerabil ...)
NOT-FOR-US: Audimexee
CVE-2023-35124 (An information disclosure vulnerability exists in the OAS Engine confi ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4f594031caf98a253689a0d3ce5228221070eef2...2f19f0cd859e091688a75a3daf0496b78ce85fb1
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4f594031caf98a253689a0d3ce5228221070eef2...2f19f0cd859e091688a75a3daf0496b78ce85fb1
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240220/d6f9d937/attachment.htm>
More information about the debian-security-tracker-commits
mailing list