Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
The fix for CVE-2016-2313 in 0.8.8b+dfsg-8+deb8u5 was reported¹ to contain a
regression. The attached debdiff contains the reporters patch that was accepted
upstream to fix the issue.
Can I upload to jessie-proposed-updates?
¹ https://lists.debian.org/debian-lts/2016/07/msg00164.html
http://bugs.cacti.net/view.php?id=2697
- -- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing'), (60, 'unstable'), (50, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.6.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJXzIMJAAoJEJxcmesFvXUKbwwH/itoIFNHgzxJPhcRhPmfhqbc
dYR6ZP5KSppLFRO4JLLVRzfsgESXA/WwVIyuN1xQQD+j74LabDVFE8F4fRoojwG3
+iTd3KNOcOm3PCtFSlpI+lGlTV+aKb6rfIH7bBdo8wZSVOEAsarCxg0iIoRQdc4H
UdSikfNRtOQMTlMnVQfVtKIEMD0DwsbtfRZGfSqpq31uUkbR8/rIAdtqZRBiUcuE
Mgz4VdzC2SnRl6GazxWMWGPZ0VBcOCaq5d2AvfUxevGP+m3kPwLkd/LqmJLCBaGf
jQq+hsRBJ3x+SV2tyO0VD0P73r+1YOv5ztxlBRb8xZKi3w4kpQIH23NhrnHAxpY=
=Fm8h
-----END PGP SIGNATURE-----
diff -Nru cacti-0.8.8b+dfsg/debian/changelog cacti-0.8.8b+dfsg/debian/changelog
--- cacti-0.8.8b+dfsg/debian/changelog 2016-07-09 20:26:32.000000000 +0200
+++ cacti-0.8.8b+dfsg/debian/changelog 2016-09-04 21:38:05.000000000 +0200
@@ -1,3 +1,12 @@
+cacti (0.8.8b+dfsg-8+deb8u6) jessie-proposed-updates; urgency=medium
+
+ [ Emilio Pozuelo Monfort ]
+ * CVE-2016-2313-guest-auth.patch:
+ + Fix regression in the fix for CVE-2016-2313 that broke guest user
+ logins. Thanks to Matus Uhlar for the report.
+
+ -- Paul Gevers <elb...@debian.org> Sun, 04 Sep 2016 21:37:36 +0200
+
cacti (0.8.8b+dfsg-8+deb8u5) jessie-proposed-updates; urgency=medium
[ Emilio Pozuelo Monfort ]
diff -Nru cacti-0.8.8b+dfsg/debian/patches/CVE-2016-2313-guest-auth.patch cacti-0.8.8b+dfsg/debian/patches/CVE-2016-2313-guest-auth.patch
--- cacti-0.8.8b+dfsg/debian/patches/CVE-2016-2313-guest-auth.patch 1970-01-01 01:00:00.000000000 +0100
+++ cacti-0.8.8b+dfsg/debian/patches/CVE-2016-2313-guest-auth.patch 2016-09-04 21:31:56.000000000 +0200
@@ -0,0 +1,27 @@
+From 69983495cd41bf0903fe02baeef84b1fa85f2846 Mon Sep 17 00:00:00 2001
+From: cigamit <ji...@sqmail.org>
+Date: Sun, 14 Aug 2016 14:21:11 -0500
+Subject: [PATCH] fixing bug #2697
+
+web basic for guest accounts
+---
+ auth_login.php | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/auth_login.php
++++ b/auth_login.php
+@@ -86,10 +86,11 @@
+ /* Locate user in database */
+ $user = db_fetch_row("SELECT * FROM user_auth WHERE username = " . $cnn_id->qstr($username) . " AND realm = 2");
+
+- if (!$user && read_config_option('user_template') == '0') {
+- cacti_log("ERROR: User '" . $username . "' authenticated by Web Server, but a Template User is not defined in Cacti. Exiting.", false, 'AUTH');
++ if (!$user && read_config_option('user_template') == '0' && read_config_option('guest_user') == '0') {
++ cacti_log("ERROR: User '" . $username . "' authenticated by Web Server, but both Template and Guest Users are not defined in Cacti. Exiting.", false, 'AUTH');
++
+ $username = htmlspecialchars($username);
+- auth_display_custom_error_message("$username authenticated by Web Server, but a Template User is not defined in Cacti.");
++ auth_display_custom_error_message("$username authenticated by Web Server, but a Template User and a Guest User are not defined in Cacti.");
+ exit;
+ }
+
diff -Nru cacti-0.8.8b+dfsg/debian/patches/series cacti-0.8.8b+dfsg/debian/patches/series
--- cacti-0.8.8b+dfsg/debian/patches/series 2016-07-09 20:04:07.000000000 +0200
+++ cacti-0.8.8b+dfsg/debian/patches/series 2016-09-04 21:31:56.000000000 +0200
@@ -31,3 +31,4 @@
CVE-2016-3172-sql-injection.patch
CVE-2016-3659-sql-injection.patch
CVE-2016-2313-authentication-bypass.patch
+CVE-2016-2313-guest-auth.patch
