oss-sec mailing list archives
Re: CVE Request for cacti
From: Robert Buchholz <rbu () gentoo org>
Date: Mon, 18 May 2009 17:16:50 +0200
Hi Henri, On Friday 15 May 2009, Henri Salo wrote:
I would like to obtain CVE identifier for security bug[1] in cacti[2]. I beleive this version of cacti is still used in some servers[3][4]. 1: http://bugs.cacti.net/view.php?id=1245
The resolution indicates the bug had already been fixed at the time the bug was reported, thus implying it was a duplicate report of CVE-2008-0783. The CVE-2008-0783 patch [1] explicitly validates the 'action' variable as mentioned in the bug report. However, the original poster reported the 0.8.6i-3.4 Debian revision as vulnerable and according to DSA 1569-2 [2], it should not have been. Do you have any indication this is not covered by CVE-2008-0783? Robert [1] http://www.cacti.net/downloads/patches/0.8.7a/multiple_vulnerabilities-0.8.7a.patch [2] http://lists.debian.org/debian-security-announce/2008/msg00144.html
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- CVE Request for cacti Henri Salo (May 14)
- Re: CVE Request for cacti Robert Buchholz (May 18)
- Re: CVE Request for cacti Henri Salo (May 18)
- Re: CVE Request for cacti Steven M. Christey (May 21)
- Re: CVE Request for cacti Robert Buchholz (May 18)