sean finney wrote:
> another update,
>
> the security release for cacti has been delayed due to complications
> backporting the security fix into the version in woody, which is a major
> release (and rewrite) behind the versions in sarge and sid.
>
> joey from the security team provided an initial attempt at backporting
> the backport to woody, but unfortunately it was not sufficient to
> completely address the vulnerability. it also did not include fixes for
> the second set of vulnerabilities released by the hardened-php project.
>
> having spent more time hacking on it than i'd have liked, i've now
> produced a new version of the backport, which i believe should address
> all of the relevant security issues.
>
> it can be found at the following uris:
>
> deb http://people.debian.org/~seanius/cacti/woody ./
> deb-src http://people.debian.org/~seanius/cacti/woody ./
>
> all this said, i think it should be strongly emphasized that upstream
> is no longer supporting the woody version of cacti and does not provide
> updates for it, and users should be advised to upgrade to at least the
> version in sarge ASAP. i'm also not convinced that there aren't other
> security issues in the woody version, but can at least feel reasonably
> comfortable that of the recently published vulnerabilities woody's cacti
> should be okay with this new revision.
>
> joey, mike, et al: is there anything else you need from me?
I guess we're facing a severe problem here.
Even though you say that my fixes were not sufficient, you have
***removed*** a fair amount of the patches I've applied after
reading the code that uses unsanitised variables. I now see
that you've placed sanitising into the config file entirely,
would have been nice to note this.
Additionally you seem to be using get_request_var only which
uses the $_GET array, but not the $_REQUEST array, and hence
can be bypassed by POST or cookie input if I am not mistaken.
This was not the case in the version I sent you.
In addition to that you also clutter sanitize.php with sanitising
variables that aren't even used. That's not ok.
Regards,
Joey
PS: ... and the distribution needs to be set to oldstable-security
--
Reading is a lost art nowadays. -- Michael Weber
Please always Cc to me when replying to me on the lists.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
