Debian Bug report logs -
#578909
SQL injection in templates_export
Reported by: Thijs Kinkhorst <thijs@uvt.nl>
Date: Fri, 23 Apr 2010 13:33:01 UTC
Severity: serious
Tags: patch, security
Found in version cacti/0.8.7b-2
Fixed in versions cacti/0.8.7b-2.1+lenny2, cacti/0.8.7e-3
Done: Sean Finney <seanius@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Sean Finney <seanius@debian.org>:
Bug#578909; Package cacti.
(Fri, 23 Apr 2010 13:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Thijs Kinkhorst <thijs@uvt.nl>:
New Bug report received and forwarded. Copy sent to Sean Finney <seanius@debian.org>.
(Fri, 23 Apr 2010 13:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: cacti
Version: 0.8.7b-2
Severity: serious
Tags: security patch
Hi,
An SQL injection issue was published in Cacti:
http://seclists.org/fulldisclosure/2010/Apr/272
Both stable and testing/unstable are affected.
Upstream blessed patch is here:
http://www.cacti.net/downloads/patches/0.8.7e/sql_injection_template_export.patch
CVE id not yet available.
Can you please apply it and upload to unstable with priority=high?
thanks,
Thijs
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility.
(Sat, 24 Apr 2010 01:57:03 GMT) (full text, mbox, link).
Notification sent
to Thijs Kinkhorst <thijs@uvt.nl>:
Bug acknowledged by developer.
(Sat, 24 Apr 2010 01:57:03 GMT) (full text, mbox, link).
Message #10 received at 578909-close@bugs.debian.org (full text, mbox, reply):
Source: cacti
Source-Version: 0.8.7b-2.1+lenny2
We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive:
cacti_0.8.7b-2.1+lenny2.diff.gz
to main/c/cacti/cacti_0.8.7b-2.1+lenny2.diff.gz
cacti_0.8.7b-2.1+lenny2.dsc
to main/c/cacti/cacti_0.8.7b-2.1+lenny2.dsc
cacti_0.8.7b-2.1+lenny2_all.deb
to main/c/cacti/cacti_0.8.7b-2.1+lenny2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 578909@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated cacti package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 23 Apr 2010 15:25:57 +0200
Source: cacti
Binary: cacti
Architecture: source all
Version: 0.8.7b-2.1+lenny2
Distribution: stable-security
Urgency: high
Maintainer: Sean Finney <seanius@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
cacti - Frontend to rrdtool for monitoring systems and services
Closes: 578909
Changes:
cacti (0.8.7b-2.1+lenny2) stable-security; urgency=high
.
* Non-maintainer upload by the security team
* Fix SQL injection in template_export with upstream patch
(BONSAI-2010-0104, closes: #578909)
Checksums-Sha1:
e3f95e752e89e6dd632cbba0efb1152d06ba231d 1408 cacti_0.8.7b-2.1+lenny2.dsc
60c373c55e8fe9dfe211612240dea2723fa26d16 37338 cacti_0.8.7b-2.1+lenny2.diff.gz
90c1133b99ce9df055583edd03dd9098a2977133 1826020 cacti_0.8.7b-2.1+lenny2_all.deb
Checksums-Sha256:
4b76abf3db290720b5cccdec0d0ed0eeb03cc5ca001b9172b5ffa2e175f397c2 1408 cacti_0.8.7b-2.1+lenny2.dsc
09ae58856bb68a99fea63fb62fac744ad092968fa1e5949e139e0df769438efa 37338 cacti_0.8.7b-2.1+lenny2.diff.gz
8579adbc6b01baa305001d5967176139fca54c3e1fd37e49e86c297cefd28514 1826020 cacti_0.8.7b-2.1+lenny2_all.deb
Files:
468d418ebedfd326081cbb159c159b55 1408 web extra cacti_0.8.7b-2.1+lenny2.dsc
16b43e80a447a185f5372372836104ed 37338 web extra cacti_0.8.7b-2.1+lenny2.diff.gz
b88356b2559091ae8444b93b5234e881 1826020 web extra cacti_0.8.7b-2.1+lenny2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBAgAGBQJL0aKrAAoJECIIoQCMVaAco/EH/i7WQMBKNXa/guUvuv/sjWlU
LwtzyA3Cm8FTOw9brt01ztQzMCsEObHwhAmWodTiU7plLr/yx+SYBPKjRPWgNq1J
sa8Dwv7x+hu272tGo2FETuRzWK+BMWyr9s3BdOopOizYG5mBkcPP6rWIP+nqxnre
fAoRR2Z2O4wf4MVv/FJz9KzbrXY1EETdIrhDaC8PY7NS0wLXm+jLSF5TOvnGpwA/
cZHJy8zEQ1gAfpywGPPTCNtVjqZbYWzBldG8jsKPqVIwwGAxa61PRXWKjFyb0Yqk
WEh3lyax8tk317w5Ze+RGPv6yA7xqPNMYrROcySHwGPtfeqq8/0TIpRrAOAOebc=
=mVzh
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#578909; Package cacti.
(Sat, 24 Apr 2010 11:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Sean Finney <seanius@debian.org>:
Extra info received and forwarded to list.
(Sat, 24 Apr 2010 11:33:03 GMT) (full text, mbox, link).
Message #15 received at 578909@bugs.debian.org (full text, mbox, reply):
tag 578909 pending
thanks
Date: Sat Apr 24 13:00:32 2010 +0200
Author: Sean Finney <seanius@debian.org>
Commit ID: 43ac8f0767e349c0d860a605e40a3970ac498bfb
Commit URL: http://git.debian.org/?p=users/seanius/cacti.git;a=commitdiff;h=43ac8f0767e349c0d860a605e40a3970ac498bfb
Patch URL: http://git.debian.org/?p=users/seanius/cacti.git;a=commitdiff_plain;h=43ac8f0767e349c0d860a605e40a3970ac498bfb
Import upstream fix for SQL injection vulnerability (no CVE assigned yet)
Closes: #578909.
Added tag(s) pending.
Request was from Sean Finney <seanius@debian.org>
to control@bugs.debian.org.
(Sat, 24 Apr 2010 11:33:05 GMT) (full text, mbox, link).
Reply sent
to Sean Finney <seanius@debian.org>:
You have taken responsibility.
(Sat, 24 Apr 2010 18:06:07 GMT) (full text, mbox, link).
Notification sent
to Thijs Kinkhorst <thijs@uvt.nl>:
Bug acknowledged by developer.
(Sat, 24 Apr 2010 18:06:07 GMT) (full text, mbox, link).
Message #22 received at 578909-close@bugs.debian.org (full text, mbox, reply):
Source: cacti
Source-Version: 0.8.7e-3
We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive:
cacti_0.8.7e-3.diff.gz
to main/c/cacti/cacti_0.8.7e-3.diff.gz
cacti_0.8.7e-3.dsc
to main/c/cacti/cacti_0.8.7e-3.dsc
cacti_0.8.7e-3_all.deb
to main/c/cacti/cacti_0.8.7e-3_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 578909@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sean Finney <seanius@debian.org> (supplier of updated cacti package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 24 Apr 2010 17:54:20 +0200
Source: cacti
Binary: cacti
Architecture: source all
Version: 0.8.7e-3
Distribution: unstable
Urgency: high
Maintainer: Sean Finney <seanius@debian.org>
Changed-By: Sean Finney <seanius@debian.org>
Description:
cacti - Frontend to rrdtool for monitoring systems and services
Closes: 578909
Changes:
cacti (0.8.7e-3) unstable; urgency=high
.
* Import upstream fix for SQL injection vulnerability (no CVE assigned yet)
- thanks to Thijs Kinkhorst <thijs@uvt.nl> (Closes: #578909).
Checksums-Sha1:
587a00b63bf43569d395cae2f89ba68b44565da9 1105 cacti_0.8.7e-3.dsc
cbbf92a696e5840f1d250b6fbd3c9507ec333ef4 43070 cacti_0.8.7e-3.diff.gz
f32921330007b7b3056aab33991729f30bc78aac 2090786 cacti_0.8.7e-3_all.deb
Checksums-Sha256:
0e57455f338634e049e1181d25aaaa04eda44408b43c49639d48430275b0b07e 1105 cacti_0.8.7e-3.dsc
1cc97a6a7769341c5df3d828934f86345beefedfe18a6bdb0df273a473cc0c78 43070 cacti_0.8.7e-3.diff.gz
ca0914488a2375b0eb1e1bb78a67d793192c78cbfc29a1d5a5d32e6925da511c 2090786 cacti_0.8.7e-3_all.deb
Files:
469fad8cd95a2dceb227ede5c2193367 1105 web extra cacti_0.8.7e-3.dsc
4da387774e1e301bcae20f5e0a9e33a4 43070 web extra cacti_0.8.7e-3.diff.gz
b742fc29018e301ecb52de84853077f4 2090786 web extra cacti_0.8.7e-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFL0y3HynjLPm522B0RAtP8AJ0Zvg7aMFFwj4qchbt3qhUrzbm90gCeNREN
XjEcxwlaeHeXvWtEXKpLH5k=
=oVT2
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 27 Jun 2010 07:31:45 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Aug 2 01:47:12 2024;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.