[Pkg-cacti-maint] Bug#742768: Regarding your cacti security report CVE-2014-2326 - 2328

Tony Roman troman at cacti.net
Sat Apr 5 02:05:46 UTC 2014


Paul,

CVE-2014-2708 and CVE-2014-2709 are address in
http://bugs.cacti.net/view.php?id=2405

Security patch for the following has been posted on the Cacti site for
versions 0.8.7g to 0.8.8b:

- CVE-2014-2326 Unspecified HTML Injection Vulnerability
- CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
- CVE-2014-2708 Unspecified SQL Injection Vulnerability
- CVE-2014-2709 Unspecified Remote Command Execution Vulnerability

As for CVE-2014-2327 Cross Site Request Forgery Vulnerability, I'm still
working on a solution.  I have some limited time this weekend to work on
this fix.  But I will be on the west coast for business this next week
and will have time at night to work on this fix.  I plan on pushing
0.8.8c release to address this and other minor fixes in Cacti the
weekend of April 12th.

Tony

On 4/4/14, 2:56 AM, Paul Gevers wrote:
> Hi Tony,
> 
> Just for your heads up. I was hoping to also se a fix for CVE-2014-2327
> already, but I fully understand why that takes longer. Do you have any
> idea how long it will take? Days, weeks, months? If the scale is bigger
> than some small number of weeks, I will patch cacti in Debian already
> with the fixes available.
> 
> You do know that Cacti got assigned two other CVE's for a fix you made
> recently? CVE-2014-2708 and CVE-2014-2709:
> http://seclists.org/oss-sec/2014/q2/15
> 
> Paul
> 
> 
> On 03/31/14 06:46, Tony Roman wrote:
>> Paul,
>>
>> I created 3 bugs to fix the issues outlined.  I'm still working on
>> CVE-2014-2327 as it will require a little more work to mitigate in the
>> Cacti code.  As for your questions about past CVE, the currently
>> reported ones are valid from the reported version to the latest.  Once I
>> have resolved the issue in CVE-2014-2327, I will post patches all the
>> way back to 0.8.7g to 0.8.8b.  A new release is pending release after
>> testing is complete.
>>
>> If you are logged into the bug system you should be able to read the
>> descriptions of the issues that I added as private comments.
>>
>> CVE-2014-2326 Unspecified HTML Injection Vulnerability
>>   http://bugs.cacti.net/view.php?id=2431
>>
>> CVE-2014-2327 Cross Site Request Forgery Vulnerability
>>   http://bugs.cacti.net/view.php?id=2432
>>
>> CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
>>   http://bugs.cacti.net/view.php?id=2433
>>
>> Tony Roman
>> Cacti Developer
>>
>> On 3/28/14, 3:52 AM, Paul Gevers wrote:
>>> Hi,
>>>
>>> As the maintainer of Cacti in Debian, I received [1] your security
>>> report [2] on Cacti yesterday. I have several questions.
>>>
>>> I didn't see any public communication with the upstream maintainers, so
>>> I assume it was done in private. After releasing your CVE numbers,
>>> wouldn't it been nice to report the issues also in the bug tracker of
>>> cacti, so that contributors could maybe help?
>>>
>>> I find your report rather vague, for one because it talks about
>>> an old version of cacti (current version is 0.8.8b). How is e.g.
>>> CVE-2014-2326 different than (the already fixed) CVE-2013-5588,
>>> CVE-2010-2545, CVE-2010-2544 and CVE-2010-2543? Could you please explain
>>> if you found new issues? Maybe just explicitly stating the issues you found?
>>>
>>> Furthermore, with the current description I hardly see a difference
>>> between CVE-2014-2328 and the (unresolved) CVE-2009-4112?
>>>
>>> To me it seems you have a new point with CVE-2014-2327 though.
>>>
>>> Paul Gevers.
>>> Debian Cacti maintainer.
>>>
>>> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742768
>>> [2] http://www.securityfocus.com/archive/1/531588
>>>
>>
>>
>>
> 



More information about the Pkg-cacti-maint mailing list