[Pkg-cacti-maint] Bug#742768: Regarding your cacti security report CVE-2014-2326 - 2328

Paul Gevers elbrus at debian.org
Fri Mar 28 07:52:28 UTC 2014


As the maintainer of Cacti in Debian, I received [1] your security
report [2] on Cacti yesterday. I have several questions.

I didn't see any public communication with the upstream maintainers, so
I assume it was done in private. After releasing your CVE numbers,
wouldn't it been nice to report the issues also in the bug tracker of
cacti, so that contributors could maybe help?

I find your report rather vague, for one because it talks about
an old version of cacti (current version is 0.8.8b). How is e.g.
CVE-2014-2326 different than (the already fixed) CVE-2013-5588,
CVE-2010-2545, CVE-2010-2544 and CVE-2010-2543? Could you please explain
if you found new issues? Maybe just explicitly stating the issues you found?

Furthermore, with the current description I hardly see a difference
between CVE-2014-2328 and the (unresolved) CVE-2009-4112?

To me it seems you have a new point with CVE-2014-2327 though.

Paul Gevers.
Debian Cacti maintainer.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742768
[2] http://www.securityfocus.com/archive/1/531588

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 551 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-cacti-maint/attachments/20140328/2539fc3e/attachment.sig>

More information about the Pkg-cacti-maint mailing list