Hi Tony, Just for your heads up. I was hoping to also se a fix for CVE-2014-2327 already, but I fully understand why that takes longer. Do you have any idea how long it will take? Days, weeks, months? If the scale is bigger than some small number of weeks, I will patch cacti in Debian already with the fixes available.
You do know that Cacti got assigned two other CVE's for a fix you made recently? CVE-2014-2708 and CVE-2014-2709: http://seclists.org/oss-sec/2014/q2/15 Paul On 03/31/14 06:46, Tony Roman wrote: > Paul, > > I created 3 bugs to fix the issues outlined. I'm still working on > CVE-2014-2327 as it will require a little more work to mitigate in the > Cacti code. As for your questions about past CVE, the currently > reported ones are valid from the reported version to the latest. Once I > have resolved the issue in CVE-2014-2327, I will post patches all the > way back to 0.8.7g to 0.8.8b. A new release is pending release after > testing is complete. > > If you are logged into the bug system you should be able to read the > descriptions of the issues that I added as private comments. > > CVE-2014-2326 Unspecified HTML Injection Vulnerability > http://bugs.cacti.net/view.php?id=2431 > > CVE-2014-2327 Cross Site Request Forgery Vulnerability > http://bugs.cacti.net/view.php?id=2432 > > CVE-2014-2328 Unspecified Remote Command Execution Vulnerability > http://bugs.cacti.net/view.php?id=2433 > > Tony Roman > Cacti Developer > > On 3/28/14, 3:52 AM, Paul Gevers wrote: >> Hi, >> >> As the maintainer of Cacti in Debian, I received [1] your security >> report [2] on Cacti yesterday. I have several questions. >> >> I didn't see any public communication with the upstream maintainers, so >> I assume it was done in private. After releasing your CVE numbers, >> wouldn't it been nice to report the issues also in the bug tracker of >> cacti, so that contributors could maybe help? >> >> I find your report rather vague, for one because it talks about >> an old version of cacti (current version is 0.8.8b). How is e.g. >> CVE-2014-2326 different than (the already fixed) CVE-2013-5588, >> CVE-2010-2545, CVE-2010-2544 and CVE-2010-2543? Could you please explain >> if you found new issues? Maybe just explicitly stating the issues you found? >> >> Furthermore, with the current description I hardly see a difference >> between CVE-2014-2328 and the (unresolved) CVE-2009-4112? >> >> To me it seems you have a new point with CVE-2014-2327 though. >> >> Paul Gevers. >> Debian Cacti maintainer. >> >> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742768 >> [2] http://www.securityfocus.com/archive/1/531588 >> > > >
signature.asc
Description: OpenPGP digital signature