[Pkg-cacti-maint] Bug#814353: cacti: CVE-2016-2313: Authentication using web authentication as a user not in the cacti database allows complete access
Paul Gevers
elbrus at debian.org
Wed Feb 10 18:18:04 UTC 2016
Hi Salvatore,
On 10-02-16 19:05, Salvatore Bonaccorso wrote:
> CVE-2016-2313[0]:
> |Authentication using web authentication as a user not in the cacti
> |database allows complete access
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
As I already mentioned in your ref [1], I don't believe this is in
general true. It is my believe that the reporter opened the access
actively and just forgot about it. Unfortunately, neither the reporter
nor upstream responded to my request. Because there is lots of code that
actually is meant for the situation where there is no user in the cacti
database yet, I believe that "fixing" this CVE is causing (serious?)
regression for some users, while fixing no real issue. How to handle
this situation?
> [1] http://bugs.cacti.net/view.php?id=2656
> [2] http://svn.cacti.net/viewvc?view=rev&revision=7770
Paul
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-cacti-maint/attachments/20160210/4deb7637/attachment.sig>
More information about the Pkg-cacti-maint
mailing list