[Pkg-cacti-maint] Bug#814353: cacti: CVE-2016-2313: Authentication using web authentication as a user not in the cacti database allows complete access
Paul Gevers
elbrus at debian.org
Sun Mar 6 19:54:21 UTC 2016
Hi all,
On 10-02-16 19:18, Paul Gevers wrote:
> As I already mentioned in your ref [1], I don't believe this is in
> general true. It is my believe that the reporter opened the access
> actively and just forgot about it. Unfortunately, neither the reporter
> nor upstream responded to my request.
Upstream finally responded to my concerns and agrees. They already
(apparently) fixed this properly in their development branch. See
comment 0007083 in the upstream bug report¹.
I suspect he is talking about this commit:
https://github.com/Cacti/cacti/commit/6e5f3be49b3f52e30c88ec75a576f89bb72c4e52
If we are going to fix this issue in older Debian versions, I propose to
use the final result of that patch instead of the original.
Paul
¹ http://bugs.cacti.net/view.php?id=2656
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-cacti-maint/attachments/20160306/b0b060f9/attachment.sig>
More information about the Pkg-cacti-maint
mailing list