Paul, I created 3 bugs to fix the issues outlined. I'm still working on CVE-2014-2327 as it will require a little more work to mitigate in the Cacti code. As for your questions about past CVE, the currently reported ones are valid from the reported version to the latest. Once I have resolved the issue in CVE-2014-2327, I will post patches all the way back to 0.8.7g to 0.8.8b. A new release is pending release after testing is complete.
If you are logged into the bug system you should be able to read the descriptions of the issues that I added as private comments. CVE-2014-2326 Unspecified HTML Injection Vulnerability http://bugs.cacti.net/view.php?id=2431 CVE-2014-2327 Cross Site Request Forgery Vulnerability http://bugs.cacti.net/view.php?id=2432 CVE-2014-2328 Unspecified Remote Command Execution Vulnerability http://bugs.cacti.net/view.php?id=2433 Tony Roman Cacti Developer On 3/28/14, 3:52 AM, Paul Gevers wrote: > Hi, > > As the maintainer of Cacti in Debian, I received [1] your security > report [2] on Cacti yesterday. I have several questions. > > I didn't see any public communication with the upstream maintainers, so > I assume it was done in private. After releasing your CVE numbers, > wouldn't it been nice to report the issues also in the bug tracker of > cacti, so that contributors could maybe help? > > I find your report rather vague, for one because it talks about > an old version of cacti (current version is 0.8.8b). How is e.g. > CVE-2014-2326 different than (the already fixed) CVE-2013-5588, > CVE-2010-2545, CVE-2010-2544 and CVE-2010-2543? Could you please explain > if you found new issues? Maybe just explicitly stating the issues you found? > > Furthermore, with the current description I hardly see a difference > between CVE-2014-2328 and the (unresolved) CVE-2009-4112? > > To me it seems you have a new point with CVE-2014-2327 though. > > Paul Gevers. > Debian Cacti maintainer. > > [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742768 > [2] http://www.securityfocus.com/archive/1/531588 > -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
