oss-sec mailing list archives
Re: CVE Request for cacti
From: Henri Salo <henri () nerv fi>
Date: Mon, 18 May 2009 19:32:41 +0300
On Mon, 18 May 2009 17:16:50 +0200 Robert Buchholz <rbu () gentoo org> wrote:
Hi Henri, On Friday 15 May 2009, Henri Salo wrote:I would like to obtain CVE identifier for security bug[1] in cacti[2]. I beleive this version of cacti is still used in some servers[3][4]. 1: http://bugs.cacti.net/view.php?id=1245The resolution indicates the bug had already been fixed at the time the bug was reported, thus implying it was a duplicate report of CVE-2008-0783. The CVE-2008-0783 patch [1] explicitly validates the 'action' variable as mentioned in the bug report. However, the original poster reported the 0.8.6i-3.4 Debian revision as vulnerable and according to DSA 1569-2 [2], it should not have been. Do you have any indication this is not covered by CVE-2008-0783? Robert [1] http://www.cacti.net/downloads/patches/0.8.7a/multiple_vulnerabilities-0.8.7a.patch [2] http://lists.debian.org/debian-security-announce/2008/msg00144.html
I tested this using Cacti from Etch with security updates (0.8.6i-3.5) and it seems to be fixed. Good work. --- Henri Salo
Current thread:
- CVE Request for cacti Henri Salo (May 14)
- Re: CVE Request for cacti Robert Buchholz (May 18)
- Re: CVE Request for cacti Henri Salo (May 18)
- Re: CVE Request for cacti Steven M. Christey (May 21)
- Re: CVE Request for cacti Robert Buchholz (May 18)