Package: cacti Version: 0.8.7b-2.1+lenny2 Tags: security Severity: critical
The producers of cacti have reported multiple high-threat security vulnerabilities in this version of cacti. Relevant release notes for v0.8.7f below: http://www.cacti.net/release_notes_0_8_7f.php Important Security Fixes SQL injection and shell escaping issues reported by Bonsai Information Security (http://www.bonsai-sec.com) Cross-site scripting issues reported by VUPEN Security (http://www.vupen.com) MOPS-2010-023: Cacti Graph Viewer SQL Injection Vulnerability (http://php-security.org) MOPS-2010-023 reports that versions of cacti prior to and including 0.8.7e are vulnerable to this attack. The changelog for this version of cacti is dated prior to the release of MOPS-2010-023 vulnerability, which suggests that 0.87b-2.1+lenny2 may still be vulnerable. I note that the last security change was in templates_export.php; the new threat is in graph.php, so I suspect this hole was not closed in the last security backport. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
