[Pkg-cacti-maint] Bug#742768: Regarding your cacti security report CVE-2014-2326 - 2328
elbrus at debian.org
Fri Mar 28 07:52:28 UTC 2014
As the maintainer of Cacti in Debian, I received  your security
report  on Cacti yesterday. I have several questions.
I didn't see any public communication with the upstream maintainers, so
I assume it was done in private. After releasing your CVE numbers,
wouldn't it been nice to report the issues also in the bug tracker of
cacti, so that contributors could maybe help?
I find your report rather vague, for one because it talks about
an old version of cacti (current version is 0.8.8b). How is e.g.
CVE-2014-2326 different than (the already fixed) CVE-2013-5588,
CVE-2010-2545, CVE-2010-2544 and CVE-2010-2543? Could you please explain
if you found new issues? Maybe just explicitly stating the issues you found?
Furthermore, with the current description I hardly see a difference
between CVE-2014-2328 and the (unresolved) CVE-2009-4112?
To me it seems you have a new point with CVE-2014-2327 though.
Debian Cacti maintainer.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 551 bytes
Desc: OpenPGP digital signature
More information about the Pkg-cacti-maint