----- Forwarded message from sean finney <[EMAIL PROTECTED]> -----
Date: Sat, 25 Jun 2005 00:09:33 -0400
From: sean finney <[EMAIL PROTECTED]>
To: Fabian Portmann <[EMAIL PROTECTED]>, Laurent Perez <[EMAIL PROTECTED]>,
Dwayne Rightler <[EMAIL PROTECTED]>
Subject: updates on cacti package for sarge?
hey folks,
please excuse the group reply, but i've gotten a few of these and
would like to address everything in the same mail.
yes, the version in cacti (0.8.6c-foo) is vulnerable to the exploit
mentioned on cacti's page. i was contacted about this vulnerability
about 4 or 5 days before the announcement came out. during this time,
i prepared an upload of the latest (and security-patched) version of
cacti, as well as a sarge version containing the backported security
patches.
i sent the sarge update to the security team last friday (three days
before the announcement), and since then have been waiting to hear
something from them. i know joey is not available to help out with this
because he's at linuxtag, and it's my undertstanding that steve is going
to be doing the upload.
any updates steve?
anyway at this point, you have two options:
1 - install the latest version of cacti from unstable
2 - install my patched cacti sarge package, which will be eventually
superceced by the DSA
if you want to do [2], put the following in your sources.list:
deb http://people.debian.org/~seanius/cacti ./
the version in my p.d.o repository is 0.8.6c-7sarge0, which will be
superceded by 0.8.6c-7sarge1 when the security team does an update.
if you want to do [1], there shouldn't be any problems as it doesn't
bring in any new dependencies etc.
so, at this point i will open a security tagged bug in the BTS to have
some way of tracking the problem, as well as cc'ing the security team.
sean
-
----- End forwarded message -----
signature.asc
Description: Digital signature
