Your message dated Sun, 08 Mar 2020 22:04:22 +0000 with message-id <e1jb422-000hq6...@fasolo.debian.org> and subject line Bug#951832: fixed in cacti 1.2.10+ds1-1 has caused the Debian Bug report #951832, regarding cacti: CVE-2020-8813 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 951832: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951832 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: cacti Version: 1.2.9+ds1-1 Severity: grave Tags: security upstream Justification: user security hole Hi, The following vulnerability was published for cacti. CVE-2020-8813[0]: | graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute | arbitrary OS commands via shell metacharacters in a cookie, if a guest | user has the graph real-time privilege. Is said to the reporter that upstream is aware and did already fix it, do you have reference to the upstream commit? If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-8813 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8813 [1] https://gist.github.com/mhaskar/ebe6b74c32fd0f7e1eedf1aabfd44129 [2] https://shells.systems/cacti-v1-2-8-authenticated-remote-code-execution-cve-2020-8813/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: cacti Source-Version: 1.2.10+ds1-1 Done: Paul Gevers <elb...@debian.org> We believe that the bug you reported is fixed in the latest version of cacti, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 951...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Paul Gevers <elb...@debian.org> (supplier of updated cacti package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 08 Mar 2020 21:26:46 +0100 Source: cacti Architecture: source Version: 1.2.10+ds1-1 Distribution: unstable Urgency: medium Maintainer: Cacti Maintainer <pkg-cacti-ma...@lists.alioth.debian.org> Changed-By: Paul Gevers <elb...@debian.org> Closes: 951832 Changes: cacti (1.2.10+ds1-1) unstable; urgency=medium . * New upstream version 1.2.10 CVE-2020-8813 graph_realtime.php allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege (Closes: 951832) Checksums-Sha1: 38fdf3900f9b181c84a103cffe45aff2b00df8b2 2116 cacti_1.2.10+ds1-1.dsc ddd070c46c0124d63a0f4a9b914bfc87745f12b6 13511964 cacti_1.2.10+ds1.orig-docs-source.tar.gz e42e6ffe5ee39acbb9bdbc5bcea397422aacbb64 7231135 cacti_1.2.10+ds1.orig.tar.gz a974397440ab24950f6932a31052dd330d7cca9c 53680 cacti_1.2.10+ds1-1.debian.tar.xz Checksums-Sha256: 901e2bbbd41efe12ca50a31c8c1ae0e859d40f9103620ad0be59c2080ce6f9e1 2116 cacti_1.2.10+ds1-1.dsc c7ba40c9dcb18c1775e7a9a453a6c1b715ef7c643ebb84719d7cdf8cc8038087 13511964 cacti_1.2.10+ds1.orig-docs-source.tar.gz 6d074f216b130251407e7b4ce8854d57064b7f927cd7a990062c06a207b1fe58 7231135 cacti_1.2.10+ds1.orig.tar.gz bc728f0632b44da61e0b833312ef45d0311b8f937c5e28a804cf6949a0e6f55a 53680 cacti_1.2.10+ds1-1.debian.tar.xz Files: 498024f83a038343f702ab2848b38a6b 2116 web optional cacti_1.2.10+ds1-1.dsc e10e5769f04ac3ffcf7902af53741748 13511964 web optional cacti_1.2.10+ds1.orig-docs-source.tar.gz f2a3d9849ac12ca11785acf30817e959 7231135 web optional cacti_1.2.10+ds1.orig.tar.gz 0b5412196b7067c1e0aaaf51b03898ae 53680 web optional cacti_1.2.10+ds1-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAl5lWu0ACgkQnFyZ6wW9 dQoxqQf9Fb518ifRjgJahCCEfAyTJojlMBbcu6AyfmrC5XmAcghW5WIZaua1Hwh1 kVY7GdNla22b/yQT+LRDAqcf86ZHY/23U0A5KP8Ccjff+r/gX0Fa9zvNUxofbant hqaypaJK5q8jkcYxFjB+bOxbebpof0wv9WbddblLvI7Ug5MpJ1Mh7kDFjLcKA3LU xcReTBk27SpP86o6duYYEci8I8PuiahR0KpXMnGb2z2ESC+/OS1Sy3rCyBGEOKl8 AT/XwvkJFf0Mapcvg1M2BqcI7nx1UZW0LU91iYLxcbj9L67Pm9KIG4YO7Qf5B5Yx k0V/qR2bp7FWsiij+uURih95x2ZpJg== =uthY -----END PGP SIGNATURE-----
--- End Message ---
