[Pkg-cacti-maint] Bug#742768: Regarding your cacti security report CVE-2014-2326 - 2328
Tony Roman
troman at cacti.net
Mon Mar 31 04:46:15 UTC 2014
Paul,
I created 3 bugs to fix the issues outlined. I'm still working on
CVE-2014-2327 as it will require a little more work to mitigate in the
Cacti code. As for your questions about past CVE, the currently
reported ones are valid from the reported version to the latest. Once I
have resolved the issue in CVE-2014-2327, I will post patches all the
way back to 0.8.7g to 0.8.8b. A new release is pending release after
testing is complete.
If you are logged into the bug system you should be able to read the
descriptions of the issues that I added as private comments.
CVE-2014-2326 Unspecified HTML Injection Vulnerability
http://bugs.cacti.net/view.php?id=2431
CVE-2014-2327 Cross Site Request Forgery Vulnerability
http://bugs.cacti.net/view.php?id=2432
CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
http://bugs.cacti.net/view.php?id=2433
Tony Roman
Cacti Developer
On 3/28/14, 3:52 AM, Paul Gevers wrote:
> Hi,
>
> As the maintainer of Cacti in Debian, I received [1] your security
> report [2] on Cacti yesterday. I have several questions.
>
> I didn't see any public communication with the upstream maintainers, so
> I assume it was done in private. After releasing your CVE numbers,
> wouldn't it been nice to report the issues also in the bug tracker of
> cacti, so that contributors could maybe help?
>
> I find your report rather vague, for one because it talks about
> an old version of cacti (current version is 0.8.8b). How is e.g.
> CVE-2014-2326 different than (the already fixed) CVE-2013-5588,
> CVE-2010-2545, CVE-2010-2544 and CVE-2010-2543? Could you please explain
> if you found new issues? Maybe just explicitly stating the issues you found?
>
> Furthermore, with the current description I hardly see a difference
> between CVE-2014-2328 and the (unresolved) CVE-2009-4112?
>
> To me it seems you have a new point with CVE-2014-2327 though.
>
> Paul Gevers.
> Debian Cacti maintainer.
>
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742768
> [2] http://www.securityfocus.com/archive/1/531588
>
More information about the Pkg-cacti-maint
mailing list