[Pkg-cacti-maint] Bug#742768: Regarding your cacti security report CVE-2014-2326 - 2328
troman at cacti.net
Mon Mar 31 04:46:15 UTC 2014
I created 3 bugs to fix the issues outlined. I'm still working on
CVE-2014-2327 as it will require a little more work to mitigate in the
Cacti code. As for your questions about past CVE, the currently
reported ones are valid from the reported version to the latest. Once I
have resolved the issue in CVE-2014-2327, I will post patches all the
way back to 0.8.7g to 0.8.8b. A new release is pending release after
testing is complete.
If you are logged into the bug system you should be able to read the
descriptions of the issues that I added as private comments.
CVE-2014-2326 Unspecified HTML Injection Vulnerability
CVE-2014-2327 Cross Site Request Forgery Vulnerability
CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
On 3/28/14, 3:52 AM, Paul Gevers wrote:
> As the maintainer of Cacti in Debian, I received  your security
> report  on Cacti yesterday. I have several questions.
> I didn't see any public communication with the upstream maintainers, so
> I assume it was done in private. After releasing your CVE numbers,
> wouldn't it been nice to report the issues also in the bug tracker of
> cacti, so that contributors could maybe help?
> I find your report rather vague, for one because it talks about
> an old version of cacti (current version is 0.8.8b). How is e.g.
> CVE-2014-2326 different than (the already fixed) CVE-2013-5588,
> CVE-2010-2545, CVE-2010-2544 and CVE-2010-2543? Could you please explain
> if you found new issues? Maybe just explicitly stating the issues you found?
> Furthermore, with the current description I hardly see a difference
> between CVE-2014-2328 and the (unresolved) CVE-2009-4112?
> To me it seems you have a new point with CVE-2014-2327 though.
> Paul Gevers.
> Debian Cacti maintainer.
>  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742768
>  http://www.securityfocus.com/archive/1/531588
More information about the Pkg-cacti-maint