[Pkg-cacti-maint] Bug#742768: Re: Regarding your cacti security report CVE-2014-2326 - 2328

Paul Gevers elbrus at debian.org
Fri Apr 4 06:56:15 UTC 2014 

Hi Tony,

Just for your heads up. I was hoping to also se a fix for CVE-2014-2327
already, but I fully understand why that takes longer. Do you have any
idea how long it will take? Days, weeks, months? If the scale is bigger
than some small number of weeks, I will patch cacti in Debian already
with the fixes available.

You do know that Cacti got assigned two other CVE's for a fix you made
recently? CVE-2014-2708 and CVE-2014-2709:
http://seclists.org/oss-sec/2014/q2/15

Paul


On 03/31/14 06:46, Tony Roman wrote:
> Paul,
> 
> I created 3 bugs to fix the issues outlined.  I'm still working on
> CVE-2014-2327 as it will require a little more work to mitigate in the
> Cacti code.  As for your questions about past CVE, the currently
> reported ones are valid from the reported version to the latest.  Once I
> have resolved the issue in CVE-2014-2327, I will post patches all the
> way back to 0.8.7g to 0.8.8b.  A new release is pending release after
> testing is complete.
> 
> If you are logged into the bug system you should be able to read the
> descriptions of the issues that I added as private comments.
> 
> CVE-2014-2326 Unspecified HTML Injection Vulnerability
>   http://bugs.cacti.net/view.php?id=2431
> 
> CVE-2014-2327 Cross Site Request Forgery Vulnerability
>   http://bugs.cacti.net/view.php?id=2432
> 
> CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
>   http://bugs.cacti.net/view.php?id=2433
> 
> Tony Roman
> Cacti Developer
> 
> On 3/28/14, 3:52 AM, Paul Gevers wrote:
>> Hi,
>>
>> As the maintainer of Cacti in Debian, I received [1] your security
>> report [2] on Cacti yesterday. I have several questions.
>>
>> I didn't see any public communication with the upstream maintainers, so
>> I assume it was done in private. After releasing your CVE numbers,
>> wouldn't it been nice to report the issues also in the bug tracker of
>> cacti, so that contributors could maybe help?
>>
>> I find your report rather vague, for one because it talks about
>> an old version of cacti (current version is 0.8.8b). How is e.g.
>> CVE-2014-2326 different than (the already fixed) CVE-2013-5588,
>> CVE-2010-2545, CVE-2010-2544 and CVE-2010-2543? Could you please explain
>> if you found new issues? Maybe just explicitly stating the issues you found?
>>
>> Furthermore, with the current description I hardly see a difference
>> between CVE-2014-2328 and the (unresolved) CVE-2009-4112?
>>
>> To me it seems you have a new point with CVE-2014-2327 though.
>>
>> Paul Gevers.
>> Debian Cacti maintainer.
>>
>> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742768
>> [2] http://www.securityfocus.com/archive/1/531588
>>
> 
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 551 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-cacti-maint/attachments/20140404/5679217e/attachment-0016.sig>

More information about the Pkg-cacti-maint mailing list