hi fabrice, On Mon, 2007-01-08 at 22:06 +0100, CAHEN Fabrice wrote: > Happy new year, and happy new bugs :(
yeah, really... > See http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.001.html > for more, but there is a *_serious_* vulnerability in all versions of > Cacti (cmd.php). > Is there a fix coming ? or should i find a temporaty solution (eg: > restrict remote access to cmd.php, and remount the /tmp with the noexec > option ?) there's an open bug about this in the debian bts (i'm cc'ing it now). my answer is that i'm currently on vacation and don't foresee having the time to look into this issue for another week or so: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=404818 i think for an immediate fix, you should throw together an apache configuration that restricts remote access to the files in question. we have a volunteer in the BR that has stated he'll take a look at digging up a fix, though i'll prompt some of the debian-security folks to see if anyone else has enough free time to address this more fully too. as i stated in the BR, the real fix would be to not have this stuff web-accessible at all... sean
signature.asc
Description: This is a digitally signed message part
