[Pkg-cacti-maint] Bug#752573: cacti: CVE-2014-4002 Cross-Site Scripting Vulnerability

Paul Gevers elbrus at debian.org
Tue Jun 24 19:55:20 UTC 2014 

Package: cacti
Version: 0.8.8b+dfsg-5
Severity: grave
Tags: security patch upstream pending
Justification: user security hole

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Cacti upstream's svn [1] has a fix for CVE-2014-4002. I couldn't find
any information yet elsewhere. I can only guess that also the change
before this revision is also involved [2].

I will add this to my current update for cacti (in progress).

[1] http://svn.cacti.net/viewvc?view=rev&revision=7452
[2] http://svn.cacti.net/viewvc?view=rev&revision=7451

- -- System Information:
Debian Release: 7.5
  APT prefers stable
  APT policy: (500, 'stable'), (99, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages cacti depends on:
ii  dbconfig-common                          1.8.47+nmu1
ii  debconf [debconf-2.0]                    1.5.49
ii  libapache2-mod-php5                      5.4.4-14+deb7u11
ii  libphp-adodb                             5.15-1
ii  mysql-client-5.5 [virtual-mysql-client]  5.5.37-0+wheezy1
ii  perl                                     5.14.2-21+deb7u1
ii  php5-cli                                 5.4.4-14+deb7u11
ii  php5-mysql                               5.4.4-14+deb7u11
ii  php5-snmp                                5.4.4-14+deb7u11
ii  rrdtool                                  1.4.7-2
ii  snmp                                     5.4.3~dfsg-2.8
ii  ucf                                      3.0025+nmu3

Versions of packages cacti recommends:
ii  apache2-mpm-prefork [httpd]  2.2.22-13+deb7u1
ii  iputils-ping                 3:20101006-1+b1
ii  libjs-jquery                 1.7.2+dfsg-1
ii  libjs-jquery-cookie          9-1
ii  lighttpd [httpd]             1.4.31-4+deb7u3
ii  logrotate                    3.8.1-4
ii  mysql-server                 5.5.37-0+wheezy1

Versions of packages cacti suggests:
ii  moreutils  0.47
pn  php5-ldap  <none>

- -- debconf information excluded

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBCAAGBQJTqdeoAAoJEJxcmesFvXUKfCsH+waGVLE0MhVourtuswP5Dzmb
XNiDG22yZWv2n8l118vK8+5pmY2UsZGDuIOA7vME611flPUa2QhAKuXd9Y4znlg5
LFeMLJ2mSPdSr+YGqly1ToA9iMiYHh44mZIDCiXBdn7wpP1NBkAToZyvN2Etze89
lVfWkTTbWpkU5T3IQLqhZ8reRHWvfex4msjNNfjB+Y4gphd5MTm+tHh+8/YA59LG
/L+Dgr25dEMDJG0v47wGqQ9ACRtL5ZtoOzY4R8HY3FO1xY0QIO6qh9ICSG/8O3eb
ip8/tNynGcHfGLXVJiRzbxxHnnihwKacKp5gmrgDPmmZhmGduFTy9m3gsEEGdL4=
=rPL2
-----END PGP SIGNATURE-----

More information about the Pkg-cacti-maint mailing list