[Pkg-cacti-maint] Bug#814353: cacti: CVE-2016-2313: Authentication using web authentication as a user not in the cacti database allows complete access

Salvatore Bonaccorso carnil at debian.org
Sat Feb 13 09:47:30 UTC 2016


Hi Paul,

On Wed, Feb 10, 2016 at 07:18:04PM +0100, Paul Gevers wrote:
> Hi Salvatore,
> 
> On 10-02-16 19:05, Salvatore Bonaccorso wrote:
> > CVE-2016-2313[0]:
> > |Authentication using web authentication as a user not in the cacti
> > |database allows complete access
> > 
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> As I already mentioned in your ref [1], I don't believe this is in
> general true. It is my believe that the reporter opened the access
> actively and just forgot about it. Unfortunately, neither the reporter
> nor upstream responded to my request. Because there is lots of code that
> actually is meant for the situation where there is no user in the cacti
> database yet, I believe that "fixing" this CVE is causing (serious?)
> regression for some users, while fixing no real issue. How to handle
> this situation?

So it looks that e.g. OpenSuSE has decided to release updates for
that, see e.g. https://www.suse.com/security/cve/CVE-2016-2313.html

Could you bring your observations to the thread on the oss-security
mailinglist, where the CVE was assigned?

We for now can wait before backporting the fix to jessie and wheezy,
and first have it exposed in unstable as well via the upcoming cacti
version containing the change (will be 0.8.8g).

Regards,
Salvatore



More information about the Pkg-cacti-maint mailing list