Your message dated Mon, 25 Dec 2023 20:49:36 +0000 with message-id <e1rhrti-00hv8i...@fasolo.debian.org> and subject line Bug#1059254: fixed in cacti 1.2.26+ds1-1 has caused the Debian Bug report #1059254, regarding cacti: CVE-2023-49084 CVE-2023-49086 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1059254: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059254 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: cacti X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for cacti. CVE-2023-49084[0]: | Cacti is a robust performance and fault management framework and a | frontend to RRDTool - a Time Series Database (TSDB). While using the | detected SQL Injection and insufficient processing of the include | file path, it is possible to execute arbitrary code on the server. | Exploitation of the vulnerability is possible for an authorized | user. The vulnerable component is the `link.php`. Impact of the | vulnerability execution of arbitrary code on the server. https://github.com/Cacti/cacti/commit/58a980f335980ab57659420053d89d4e721ae3fc CVE-2023-49086[1]: | Cacti is a robust performance and fault management framework and a | frontend to RRDTool - a Time Series Database (TSDB). Bypassing an | earlier fix (CVE-2023-39360) that leads to a DOM XSS attack. | Exploitation of the vulnerability is possible for an authorized | user. The vulnerable component is the `graphs_new.php`. Impact of | the vulnerability - execution of arbitrary javascript code in the | attacked user's browser. This issue has been patched in version | 1.2.26. https://github.com/Cacti/cacti/security/advisories/GHSA-wc73-r2vw-59pr I think https://github.com/Cacti/cacti/commit/58a980f335980ab57659420053d89d4e721ae3fc should address both, but please doublecheck. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-49084 https://www.cve.org/CVERecord?id=CVE-2023-49084 [1] https://security-tracker.debian.org/tracker/CVE-2023-49086 https://www.cve.org/CVERecord?id=CVE-2023-49086 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: cacti Source-Version: 1.2.26+ds1-1 Done: Paul Gevers <elb...@debian.org> We believe that the bug you reported is fixed in the latest version of cacti, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1059...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Paul Gevers <elb...@debian.org> (supplier of updated cacti package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 24 Dec 2023 21:46:33 +0100 Source: cacti Architecture: source Version: 1.2.26+ds1-1 Distribution: unstable Urgency: medium Maintainer: Cacti Maintainer <pkg-cacti-ma...@lists.alioth.debian.org> Changed-By: Paul Gevers <elb...@debian.org> Closes: 1059254 1059286 Changes: cacti (1.2.26+ds1-1) unstable; urgency=medium . * postinst/postrm: ensure DEBHELPER content is always run * New upstream version 1.2.26+ds1 Fixes the following vulnerabilities: CVE-2023-49084, CVE-2023-49085, CVE-2023-49086, CVE-2023-49088 CVE-2023-46490, CVE-2023-51448 and CVE-2023-50250 (Closes: #1059254, #1059286) * font-awesom-path.patch: refresh * Depends on node-dompurify and link purify.js instead of using upstream vendored version Checksums-Sha1: da4aed01ee4a13d52cbfcd0f12348e4b74bce0d3 2231 cacti_1.2.26+ds1-1.dsc f5d11a7a734889eb41660d2717f1165b8f2e8d7f 24214045 cacti_1.2.26+ds1.orig-docs-source.tar.gz 64e1d3bf34784c1500f3181d5caab45ef289a35c 10834472 cacti_1.2.26+ds1.orig.tar.gz 7f880149edd7e5668489a5638784b7873bdd38d4 57492 cacti_1.2.26+ds1-1.debian.tar.xz Checksums-Sha256: e97c500888ceb1d076734a8e94d7ca37d6ccf6dde6990dff560fb35715d0e38f 2231 cacti_1.2.26+ds1-1.dsc 6913e0dbeb8f63c133e310d86b02351170cebcfb5350b341c5e5b90fda9257dd 24214045 cacti_1.2.26+ds1.orig-docs-source.tar.gz 0e96f66dbb77e8a43896be7627746353400a2cfcca185b89231d821cfb92fb65 10834472 cacti_1.2.26+ds1.orig.tar.gz 0491878922a2bfff4598bcfcf10577d35d0e2da62582c3d468eec7d7bb81bfe5 57492 cacti_1.2.26+ds1-1.debian.tar.xz Files: c95590ff6fca61bd640bf57abda37564 2231 web optional cacti_1.2.26+ds1-1.dsc 5c242ea7e3cc30be24ce1c52829ff067 24214045 web optional cacti_1.2.26+ds1.orig-docs-source.tar.gz c67367112f465dce7a2d0dd2b2dbb953 10834472 web optional cacti_1.2.26+ds1.orig.tar.gz 3acc85905d1d2caf70f34ddbde4d8abb 57492 web optional cacti_1.2.26+ds1-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAmWJ5fwACgkQnFyZ6wW9 dQqKuAf+Mk4JjcSR1PFTGMN/NYMpGFyJqoxUF8spQyaen4occVhMHDwhQaMhiwRW mT/bYYU3qnJrnBEy36W8DC6QoB7o6RqECPGt9yRSk7ieNNfN10L7d655ZzPVrM+G YFFT1n+9Se+de6NJ2lEEvaBO5s+xsegmm2e72UOMu4ncC/am2vWRrhnEtmYT6SyZ NqgKdHTZdjnBWh8yDE9xYDq8wfe7vg1xAg9hWWdZ6rBRnLYau2DflOfWlZUYjgIU nvjpifM34R+FIu86Tl9dm/rr32IJkC2JUsXCgg4rdUe24MxifzgUJVh9VStKKJ7N LOtNIWgnePYxEv8upCXZUByNgaSAfw== =gTzz -----END PGP SIGNATURE-----
--- End Message ---
