[Pkg-cacti-maint] Bug#742768: Regarding your cacti security report CVE-2014-2326 - 2328
Tony Roman
troman at cacti.net
Sat Apr 5 02:05:46 UTC 2014
Paul,
CVE-2014-2708 and CVE-2014-2709 are address in
http://bugs.cacti.net/view.php?id=2405
Security patch for the following has been posted on the Cacti site for
versions 0.8.7g to 0.8.8b:
- CVE-2014-2326 Unspecified HTML Injection Vulnerability
- CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
- CVE-2014-2708 Unspecified SQL Injection Vulnerability
- CVE-2014-2709 Unspecified Remote Command Execution Vulnerability
As for CVE-2014-2327 Cross Site Request Forgery Vulnerability, I'm still
working on a solution. I have some limited time this weekend to work on
this fix. But I will be on the west coast for business this next week
and will have time at night to work on this fix. I plan on pushing
0.8.8c release to address this and other minor fixes in Cacti the
weekend of April 12th.
Tony
On 4/4/14, 2:56 AM, Paul Gevers wrote:
> Hi Tony,
>
> Just for your heads up. I was hoping to also se a fix for CVE-2014-2327
> already, but I fully understand why that takes longer. Do you have any
> idea how long it will take? Days, weeks, months? If the scale is bigger
> than some small number of weeks, I will patch cacti in Debian already
> with the fixes available.
>
> You do know that Cacti got assigned two other CVE's for a fix you made
> recently? CVE-2014-2708 and CVE-2014-2709:
> http://seclists.org/oss-sec/2014/q2/15
>
> Paul
>
>
> On 03/31/14 06:46, Tony Roman wrote:
>> Paul,
>>
>> I created 3 bugs to fix the issues outlined. I'm still working on
>> CVE-2014-2327 as it will require a little more work to mitigate in the
>> Cacti code. As for your questions about past CVE, the currently
>> reported ones are valid from the reported version to the latest. Once I
>> have resolved the issue in CVE-2014-2327, I will post patches all the
>> way back to 0.8.7g to 0.8.8b. A new release is pending release after
>> testing is complete.
>>
>> If you are logged into the bug system you should be able to read the
>> descriptions of the issues that I added as private comments.
>>
>> CVE-2014-2326 Unspecified HTML Injection Vulnerability
>> http://bugs.cacti.net/view.php?id=2431
>>
>> CVE-2014-2327 Cross Site Request Forgery Vulnerability
>> http://bugs.cacti.net/view.php?id=2432
>>
>> CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
>> http://bugs.cacti.net/view.php?id=2433
>>
>> Tony Roman
>> Cacti Developer
>>
>> On 3/28/14, 3:52 AM, Paul Gevers wrote:
>>> Hi,
>>>
>>> As the maintainer of Cacti in Debian, I received [1] your security
>>> report [2] on Cacti yesterday. I have several questions.
>>>
>>> I didn't see any public communication with the upstream maintainers, so
>>> I assume it was done in private. After releasing your CVE numbers,
>>> wouldn't it been nice to report the issues also in the bug tracker of
>>> cacti, so that contributors could maybe help?
>>>
>>> I find your report rather vague, for one because it talks about
>>> an old version of cacti (current version is 0.8.8b). How is e.g.
>>> CVE-2014-2326 different than (the already fixed) CVE-2013-5588,
>>> CVE-2010-2545, CVE-2010-2544 and CVE-2010-2543? Could you please explain
>>> if you found new issues? Maybe just explicitly stating the issues you found?
>>>
>>> Furthermore, with the current description I hardly see a difference
>>> between CVE-2014-2328 and the (unresolved) CVE-2009-4112?
>>>
>>> To me it seems you have a new point with CVE-2014-2327 though.
>>>
>>> Paul Gevers.
>>> Debian Cacti maintainer.
>>>
>>> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742768
>>> [2] http://www.securityfocus.com/archive/1/531588
>>>
>>
>>
>>
>
More information about the Pkg-cacti-maint
mailing list