[Pkg-cacti-maint] Bug#881110: cacti: CVE-2017-16641: arbitrary execution of os commands via path_rrdtool parameter in an action=save request
Paul Gevers
elbrus at debian.org
Mon Nov 20 21:10:07 UTC 2017
Hi Salvatore,
On 20-11-17 21:30, Salvatore Bonaccorso wrote:
> Sorry for the delayed reply.
NP.
> Ok! Your arguing makes sense to me, and I went ahead to mark the
> issue as no-dsa for stretch and jessie.
Thanks.
> Still if upstream provides
> help in adressing any of those two issues would be great to se fixes
> at some point e.g. via a point release or picked up in a DSA as well.
Sure, will do. I am hoping that upstream will provide a patch for
CVE-2009-4112 in a reasonable time from now. Upstream has really stepped
up since the preparation of 1.x started and they were getting closer to
actually releasing it. If/once that happens, I'll make sure I'll
backport both that patch and the one for this issue, but then it is
worth the effort in my opinion.
Paul
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-cacti-maint/attachments/20171120/b82cbb54/attachment.sig>
More information about the Pkg-cacti-maint
mailing list