[Secure-testing-team] Bug#561339: CVE-2009-4112: arbitrary command execution
Steffen Joeris
steffen.joeris at skolelinux.de
Wed Dec 16 11:40:03 UTC 2009
Package: cacti
Severity: grave
Tags: security
Hi Sean
the following CVE (Common Vulnerabilities & Exposures) id was
published for cacti.
CVE-2009-4112[0]:
| Cacti 0.8.7e and earlier allows remote authenticated administrators to
| gain privileges by modifying the "Data Input Method" for the "Linux -
| Get Memory Usage" setting to contain arbitrary commands.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
As discussed with upstream, please make sure that there is a whitelist
policy in place for squeeze.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4112
http://security-tracker.debian.org/tracker/CVE-2009-4112
More information about the Secure-testing-team
mailing list