Paul, CVE-2014-2708 and CVE-2014-2709 are address in http://bugs.cacti.net/view.php?id=2405
Security patch for the following has been posted on the Cacti site for versions 0.8.7g to 0.8.8b: - CVE-2014-2326 Unspecified HTML Injection Vulnerability - CVE-2014-2328 Unspecified Remote Command Execution Vulnerability - CVE-2014-2708 Unspecified SQL Injection Vulnerability - CVE-2014-2709 Unspecified Remote Command Execution Vulnerability As for CVE-2014-2327 Cross Site Request Forgery Vulnerability, I'm still working on a solution. I have some limited time this weekend to work on this fix. But I will be on the west coast for business this next week and will have time at night to work on this fix. I plan on pushing 0.8.8c release to address this and other minor fixes in Cacti the weekend of April 12th. Tony On 4/4/14, 2:56 AM, Paul Gevers wrote: > Hi Tony, > > Just for your heads up. I was hoping to also se a fix for CVE-2014-2327 > already, but I fully understand why that takes longer. Do you have any > idea how long it will take? Days, weeks, months? If the scale is bigger > than some small number of weeks, I will patch cacti in Debian already > with the fixes available. > > You do know that Cacti got assigned two other CVE's for a fix you made > recently? CVE-2014-2708 and CVE-2014-2709: > http://seclists.org/oss-sec/2014/q2/15 > > Paul > > > On 03/31/14 06:46, Tony Roman wrote: >> Paul, >> >> I created 3 bugs to fix the issues outlined. I'm still working on >> CVE-2014-2327 as it will require a little more work to mitigate in the >> Cacti code. As for your questions about past CVE, the currently >> reported ones are valid from the reported version to the latest. Once I >> have resolved the issue in CVE-2014-2327, I will post patches all the >> way back to 0.8.7g to 0.8.8b. A new release is pending release after >> testing is complete. >> >> If you are logged into the bug system you should be able to read the >> descriptions of the issues that I added as private comments. >> >> CVE-2014-2326 Unspecified HTML Injection Vulnerability >> http://bugs.cacti.net/view.php?id=2431 >> >> CVE-2014-2327 Cross Site Request Forgery Vulnerability >> http://bugs.cacti.net/view.php?id=2432 >> >> CVE-2014-2328 Unspecified Remote Command Execution Vulnerability >> http://bugs.cacti.net/view.php?id=2433 >> >> Tony Roman >> Cacti Developer >> >> On 3/28/14, 3:52 AM, Paul Gevers wrote: >>> Hi, >>> >>> As the maintainer of Cacti in Debian, I received [1] your security >>> report [2] on Cacti yesterday. I have several questions. >>> >>> I didn't see any public communication with the upstream maintainers, so >>> I assume it was done in private. After releasing your CVE numbers, >>> wouldn't it been nice to report the issues also in the bug tracker of >>> cacti, so that contributors could maybe help? >>> >>> I find your report rather vague, for one because it talks about >>> an old version of cacti (current version is 0.8.8b). How is e.g. >>> CVE-2014-2326 different than (the already fixed) CVE-2013-5588, >>> CVE-2010-2545, CVE-2010-2544 and CVE-2010-2543? Could you please explain >>> if you found new issues? Maybe just explicitly stating the issues you found? >>> >>> Furthermore, with the current description I hardly see a difference >>> between CVE-2014-2328 and the (unresolved) CVE-2009-4112? >>> >>> To me it seems you have a new point with CVE-2014-2327 though. >>> >>> Paul Gevers. >>> Debian Cacti maintainer. >>> >>> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742768 >>> [2] http://www.securityfocus.com/archive/1/531588 >>> >> >> >> > -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
