Debian Bug report logs -
#465567
please apply various patches from cacti.net
Reported by: alessandro -oggei- ogier <barakus@gmail.com>
Date: Wed, 13 Feb 2008 10:24:04 UTC
Severity: grave
Tags: security
Found in version cacti/0.8.7a-2
Fixed in version cacti/0.8.7b-1
Done: Sean Finney <seanius@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Sean Finney <seanius@debian.org>:
Bug#465567; Package cacti.
(full text, mbox, link).
Acknowledgement sent to alessandro -oggei- ogier <barakus@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Sean Finney <seanius@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: cacti
Version: 0.8.7a-2
Severity: grave
Tags: security
Justification: user security hole
as per http://www.ush.it/team/ush/hack-cacti087a/cacti.txt , cacti
currently in sid suffers several security holes, fixed by either 0.8.7b
or by patches published on upstream site.
However, applying the multiple_vulnerabilities-0.8.7a.patch found here
breaks debian version at the chunk @@ -107,6 +107,16 @@, so maybe a
straight 0.8.7b package would be better.
I hope to have some time for looking at it in the afternoon, and attach
a correct patch, if no one will do first.
cheers,
ale
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.22-3-686 (SMP w/2 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Information forwarded to debian-bugs-dist@lists.debian.org, Sean Finney <seanius@debian.org>:
Bug#465567; Package cacti.
(full text, mbox, link).
Acknowledgement sent to Alessandro Ogier <alessandro.ogier@vobelisk.com>:
Extra info received and forwarded to list. Copy sent to Sean Finney <seanius@debian.org>.
(full text, mbox, link).
Message #10 received at 465567@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
if i rightly understand the multiple_vulnerabilities-0.8.7a.patch, it
checks with substr_count() if PHP_SELF is contained some way in
SCRIPT_FILENAME, that is valid for every apache configuration, but
require a vanilla tree of cacti application
in debian we have an addictional site/ directory, so this check will
fail
basename()ing $_SERVER["PHP_SELF"] will produce a still valid check
against filesystem, but relax this check:
substr_count(
$_SERVER["SCRIPT_FILENAME"],
basename($_SERVER["PHP_SELF"])
)
HTH,
--
Alessandro Ogier
gpg --keyserver pgp.mit.edu --recv-keys EEBB4D0D
[multiple_vulnerabilities-0.8.7a.patch (text/x-patch, attachment)]
Reply sent to Sean Finney <seanius@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to alessandro -oggei- ogier <barakus@gmail.com>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #15 received at 465567-close@bugs.debian.org (full text, mbox, reply):
Source: cacti
Source-Version: 0.8.7b-1
We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive:
cacti_0.8.7b-1.diff.gz
to pool/main/c/cacti/cacti_0.8.7b-1.diff.gz
cacti_0.8.7b-1.dsc
to pool/main/c/cacti/cacti_0.8.7b-1.dsc
cacti_0.8.7b-1_all.deb
to pool/main/c/cacti/cacti_0.8.7b-1_all.deb
cacti_0.8.7b.orig.tar.gz
to pool/main/c/cacti/cacti_0.8.7b.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 465567@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sean Finney <seanius@debian.org> (supplier of updated cacti package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 13 Feb 2008 23:30:31 +0100
Source: cacti
Binary: cacti
Architecture: source all
Version: 0.8.7b-1
Distribution: unstable
Urgency: high
Maintainer: Sean Finney <seanius@debian.org>
Changed-By: Sean Finney <seanius@debian.org>
Description:
cacti - Frontend to rrdtool for monitoring systems and services
Closes: 465567
Changes:
cacti (0.8.7b-1) unstable; urgency=high
.
* New upstream release. Fixes multiple security vulnerabilities (no
CVE references yet). Closes: #465567. Thanks to Alessandro Ogier for
the suggestion about the overzealous PHP_SELF checking.
Files:
194b36f64aa4500b08e54b0c37c51608 576 web extra cacti_0.8.7b-1.dsc
aa8a740a6ab88e3634b546c3e1bc502f 1972444 web extra cacti_0.8.7b.orig.tar.gz
ac2e7f46d20d57c58051c24c7e78dc9a 33284 web extra cacti_0.8.7b-1.diff.gz
e53f9d1d02f86e452d2cc389a72cab90 1850430 web extra cacti_0.8.7b-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD4DBQFHs3rzynjLPm522B0RAkn5AJwIc7BCsoV7kbAK9Ej9XDLQPQXZIgCXXohG
MXVJTAR8bYVE94fP6a+Twg==
=Jv96
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 17 Mar 2008 07:57:21 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Jan 11 22:46:29 2018;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.