Re: CVE Request for cacti

[Henri Salo <henri () nerv fi>]

On Mon, 18 May 2009 17:16:50 +0200
Robert Buchholz <rbu () gentoo org> wrote:

> Hi Henri,
>
> On Friday 15 May 2009, Henri Salo wrote:
> > I would like to obtain CVE identifier for security bug[1] in
> > cacti[2]. I beleive this version of cacti is still used in some
> > servers[3][4].
> >
> > 1: http://bugs.cacti.net/view.php?id=1245
>
> The resolution indicates the bug had already been fixed at the time
> the bug was reported, thus implying it was a duplicate report of 
> CVE-2008-0783. The CVE-2008-0783 patch [1] explicitly validates 
> the 'action' variable as mentioned in the bug report.
>
> However, the original poster reported the 0.8.6i-3.4 Debian revision
> as vulnerable and according to DSA 1569-2 [2], it should not have
> been.
>
> Do you have any indication this is not covered by CVE-2008-0783?
>
>
> Robert
>
> [1] 
> http://www.cacti.net/downloads/patches/0.8.7a/multiple_vulnerabilities-0.8.7a.patch
> [2]
> http://lists.debian.org/debian-security-announce/2008/msg00144.html

I tested this using Cacti from Etch with security updates (0.8.6i-3.5)
and it seems to be fixed. Good work.

---
Henri Salo