Debian Bug report logs - #452085
cacti: CVE-2007-6035 sql injection

version graph

Package: cacti; Maintainer for cacti is Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>; Source for cacti is src:cacti.

Reported by: Rafal Krypa <debian@iceberg.pl>

Date: Tue, 20 Nov 2007 10:27:01 UTC

Severity: grave

Tags: patch, security

Found in version cacti/0.8.7-1

Fixed in version cacti/0.8.7a-1

Done: Sean Finney <seanius@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, sean finney <seanius@debian.org>:
Bug#452085; Package cacti. Full text and rfc822 format available.

Acknowledgement sent to Rafal Krypa <debian@iceberg.pl>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, sean finney <seanius@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Rafal Krypa <debian@iceberg.pl>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: cacti: New upstream release (0.8.7a) with important security fix
Date: Tue, 20 Nov 2007 11:09:26 +0100
Package: cacti
Version: 0.8.7-1
Severity: grave
Tags: security
Justification: user security hole

Quoting release notes (http://www.cacti.net/release_notes_0_8_7a.php):

Release Notes - 0.8.7a

Important Security Fixes

  * Possible SQL injection issue was resolved.

Important Bug Fixes

   * Additional support for RRDTool graph minimum and maximum Y-axis
   * limits added for RRDTool 1.2.x.
   * Support for opacity and alpha added for RRDTool 1.2.x.
   * Support for si units with logarithmic scaling added for
   * RRDtool 1.2.x
   * Fixed issues with cron interval detection that was causing
     issues with polling intervals less than 5 minutes.
   * User manager now allows usernames with spaces and dashes.

Upgrade Notes

   From the release of 0.8.7 and forward Cactid will now be
   known as Spine. If you are currently using Cactid, you will
   need to download and install Spine.




Information forwarded to debian-bugs-dist@lists.debian.org, sean finney <seanius@debian.org>:
Bug#452085; Package cacti. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to sean finney <seanius@debian.org>. Full text and rfc822 format available.

Message #10 received at 452085@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 452085@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#452085: cacti: New upstream release (0.8.7a) with important security fix
Date: Tue, 20 Nov 2007 15:03:00 +0100
tags 452085 + patch
thanks

Hi Sean,
* Rafal Krypa <debian@iceberg.pl> [2007-11-20 13:31]:
> Package: cacti
> Version: 0.8.7-1
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Quoting release notes (http://www.cacti.net/release_notes_0_8_7a.php):
> 
> Release Notes - 0.8.7a
> 
> Important Security Fixes
> 
>   * Possible SQL injection issue was resolved.
[...] 
You can find a patch for this on:
http://www.cacti.net/downloads/patches/0.8.7/sec_sql_injection-0.8.7.patch

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.




Tags added: patch Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Tue, 20 Nov 2007 14:03:10 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, sean finney <seanius@debian.org>:
Bug#452085; Package cacti. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to sean finney <seanius@debian.org>. Full text and rfc822 format available.

Message #17 received at 452085@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 452085@bugs.debian.org
Subject: Re: Bug#452085: cacti: New upstream release (0.8.7a) with important security fix
Date: Tue, 20 Nov 2007 16:21:31 +0100
Hi Sean,
CVE-2007-6035 was assigned to this, please include it in 
your changelog.
Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.




Changed Bug title to `cacti: CVE-2007-6035 sql injection' from `cacti: New upstream release (0.8.7a) with important security fix'. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Tue, 20 Nov 2007 15:21:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, sean finney <seanius@debian.org>:
Bug#452085; Package cacti. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to sean finney <seanius@debian.org>. Full text and rfc822 format available.

Message #24 received at 452085@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 452085@bugs.debian.org
Subject: Re: Bug#452085: cacti: New upstream release (0.8.7a) with important security fix
Date: Tue, 20 Nov 2007 16:43:28 +0100
[Message part 1 (text/plain, inline)]
Attached is an NMU proposal for this bug which fixes it, 
just in case you won't have the time to fix it.
It will be also archived on:
http://people.debian.org/~nion/nmu-diff/cacti-0.8.7-1_0.8.7-1.1.patch

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[cacti-0.8.7-1_0.8.7-1.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Reply sent to Sean Finney <seanius@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Rafal Krypa <debian@iceberg.pl>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #29 received at 452085-close@bugs.debian.org (full text, mbox):

From: Sean Finney <seanius@debian.org>
To: 452085-close@bugs.debian.org
Subject: Bug#452085: fixed in cacti 0.8.7a-1
Date: Tue, 20 Nov 2007 17:32:03 +0000
Source: cacti
Source-Version: 0.8.7a-1

We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive:

cacti_0.8.7a-1.diff.gz
  to pool/main/c/cacti/cacti_0.8.7a-1.diff.gz
cacti_0.8.7a-1.dsc
  to pool/main/c/cacti/cacti_0.8.7a-1.dsc
cacti_0.8.7a-1_all.deb
  to pool/main/c/cacti/cacti_0.8.7a-1_all.deb
cacti_0.8.7a.orig.tar.gz
  to pool/main/c/cacti/cacti_0.8.7a.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 452085@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sean Finney <seanius@debian.org> (supplier of updated cacti package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 20 Nov 2007 18:20:13 +0100
Source: cacti
Binary: cacti
Architecture: source all
Version: 0.8.7a-1
Distribution: unstable
Urgency: high
Maintainer: Sean Finney <seanius@debian.org>
Changed-By: Sean Finney <seanius@debian.org>
Description: 
 cacti      - Frontend to rrdtool for monitoring systems and services
Closes: 452085
Changes: 
 cacti (0.8.7a-1) unstable; urgency=high
 .
   * New upstream release, including fixes for bugs and security issues.
     Includes fix for CVE-2007-6035 (sql injection vulnerability)
     Closes: #452085.
Files: 
 79e0235885578555208b3a254c1635e9 576 web extra cacti_0.8.7a-1.dsc
 7d298e496058ec91f6d1ecdc97e0cca5 2002270 web extra cacti_0.8.7a.orig.tar.gz
 15f28a5202e97ce4c2c071237ab43ad4 31963 web extra cacti_0.8.7a-1.diff.gz
 885c35f53eac228bb17cfc8a6d11143a 1845138 web extra cacti_0.8.7a-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHQxhoynjLPm522B0RAnCqAJ4ptSYr7BxTbroOrwZOttI9c2QotgCeP5jQ
nGaFAspUN4a0HE1ME3x5Ns8=
=1RMd
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 22 Dec 2007 07:32:48 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 18:58:02 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.