oss-sec mailing list archives
Re: CVE Request -- Cacti v0.8.7 -- three security fixes
From: Josh Bressers <bressers () redhat com>
Date: Wed, 26 May 2010 14:58:39 -0400 (EDT)
I'm going to butcher this up a bit to make it easier to follow (at least for me). ----- "Jan Lieskovsky" <jlieskov () redhat com> wrote:
Cacti upstream has released: [1] http://www.cacti.net/release_notes_0_8_7f.php latest v0.8.7 version, adressing three security flaws:
[A], MOPS-2010-023: Cacti Graph Viewer SQL Injection Vulnerability http://php-security.org/2010/05/13/mops-2010-023-cacti-graph-viewer-sql-injection-vulnerability/index.html http://www.vupen.com/english/advisories/2010/1204 Credit: The vulnerability was discovered by Stefan Esser as part of the SQL Injection Marathon. Upstream changeset: http://svn.cacti.net/viewvc?view=rev&revision=5920
Steve, you've been handling the MOPS stuff. I'm going to leave this one alone unless you tell me otherwise (I don't want to dupe).
[B], Cross-site scripting issues reported by VUPEN Security http://www.vupen.com/english/advisories/2010/1203 Credit: Vulnerabilities reported by Mohammed Boumediane (VUPEN Security). Upstream changeset: http://svn.cacti.net/viewvc?view=rev&revision=5901
Use CVE-2010-1644 for this one.
[C], SQL injection and shell escaping issues reported by Bonsai Information Security (http://www.bonsai-sec.com) http://www.bonsai-sec.com/blog/index.php/using-grep-to-find-0days/ http://www.bonsai-sec.com/en/research/vulnerabilities/cacti-os-command-injection-0105.php Credit: This vulnerability was discovered by Nahuel Grisolia ( nahuel -at- bonsai-sec.com ) Upstream changeset: http://svn.cacti.net/viewvc?view=rev&revision=5747
Use CVE-2010-1645 for this one.
References: [10] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=582691 [11] https://bugzilla.redhat.com/show_bug.cgi?id=595289
Thanks. -- JB
Current thread:
- CVE Request -- Cacti v0.8.7 -- three security fixes Jan Lieskovsky (May 24)
- Re: CVE Request -- Cacti v0.8.7 -- three security fixes Josh Bressers (May 26)
- Re: CVE Request -- Cacti v0.8.7 -- three security fixes Steven M. Christey (May 27)
- Re: CVE Request -- Cacti v0.8.7 -- three security fixes Jan Lieskovsky (Jun 01)
- Re: CVE Request -- Cacti v0.8.7 -- three security fixes Steven M. Christey (Jun 07)
- Re: CVE Request -- Cacti v0.8.7 -- three security fixes Larry Adams (Jun 07)
- Re: CVE Request -- Cacti v0.8.7 -- three security fixes Tony Roman (Jun 07)
- Re: CVE Request -- Cacti v0.8.7 -- three security fixes Steven M. Christey (May 27)
- Re: CVE Request -- Cacti v0.8.7 -- three security fixes Josh Bressers (May 26)