Bug#836700: marked as done (jessie-pu: package cacti/0.8.8b+dfsg-8+deb8u6)

Sat, 17 Sep 2016 05:16:54 -0700 

Your message dated Sat, 17 Sep 2016 13:08:06 +0100
with message-id <1474114086.2011.126.ca...@adam-barratt.org.uk>
and subject line Closing p-u bugs for updates in 8.6
has caused the Debian Bug report #836700,
regarding jessie-pu: package cacti/0.8.8b+dfsg-8+deb8u6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
836700: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=836700
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

The fix for CVE-2016-2313 in 0.8.8b+dfsg-8+deb8u5 was reported¹ to contain a
regression. The attached debdiff contains the reporters patch that was accepted
upstream to fix the issue.

Can I upload to jessie-proposed-updates?

¹ https://lists.debian.org/debian-lts/2016/07/msg00164.html
  http://bugs.cacti.net/view.php?id=2697

- -- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing'), (60, 'unstable'), (50, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.6.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJXzIMJAAoJEJxcmesFvXUKbwwH/itoIFNHgzxJPhcRhPmfhqbc
dYR6ZP5KSppLFRO4JLLVRzfsgESXA/WwVIyuN1xQQD+j74LabDVFE8F4fRoojwG3
+iTd3KNOcOm3PCtFSlpI+lGlTV+aKb6rfIH7bBdo8wZSVOEAsarCxg0iIoRQdc4H
UdSikfNRtOQMTlMnVQfVtKIEMD0DwsbtfRZGfSqpq31uUkbR8/rIAdtqZRBiUcuE
Mgz4VdzC2SnRl6GazxWMWGPZ0VBcOCaq5d2AvfUxevGP+m3kPwLkd/LqmJLCBaGf
jQq+hsRBJ3x+SV2tyO0VD0P73r+1YOv5ztxlBRb8xZKi3w4kpQIH23NhrnHAxpY=
=Fm8h
-----END PGP SIGNATURE-----

diff -Nru cacti-0.8.8b+dfsg/debian/changelog cacti-0.8.8b+dfsg/debian/changelog
--- cacti-0.8.8b+dfsg/debian/changelog	2016-07-09 20:26:32.000000000 +0200
+++ cacti-0.8.8b+dfsg/debian/changelog	2016-09-04 21:38:05.000000000 +0200
@@ -1,3 +1,12 @@
+cacti (0.8.8b+dfsg-8+deb8u6) jessie-proposed-updates; urgency=medium
+
+  [ Emilio Pozuelo Monfort ]
+  * CVE-2016-2313-guest-auth.patch:
+    + Fix regression in the fix for CVE-2016-2313 that broke guest user
+      logins. Thanks to Matus Uhlar for the report.
+
+ -- Paul Gevers <elb...@debian.org>  Sun, 04 Sep 2016 21:37:36 +0200
+
 cacti (0.8.8b+dfsg-8+deb8u5) jessie-proposed-updates; urgency=medium
 
   [ Emilio Pozuelo Monfort ]
diff -Nru cacti-0.8.8b+dfsg/debian/patches/CVE-2016-2313-guest-auth.patch cacti-0.8.8b+dfsg/debian/patches/CVE-2016-2313-guest-auth.patch
--- cacti-0.8.8b+dfsg/debian/patches/CVE-2016-2313-guest-auth.patch	1970-01-01 01:00:00.000000000 +0100
+++ cacti-0.8.8b+dfsg/debian/patches/CVE-2016-2313-guest-auth.patch	2016-09-04 21:31:56.000000000 +0200
@@ -0,0 +1,27 @@
+From 69983495cd41bf0903fe02baeef84b1fa85f2846 Mon Sep 17 00:00:00 2001
+From: cigamit <ji...@sqmail.org>
+Date: Sun, 14 Aug 2016 14:21:11 -0500
+Subject: [PATCH] fixing bug #2697
+
+web basic for guest accounts
+---
+ auth_login.php | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/auth_login.php
++++ b/auth_login.php
+@@ -86,10 +86,11 @@
+ 		/* Locate user in database */
+ 		$user = db_fetch_row("SELECT * FROM user_auth WHERE username = " . $cnn_id->qstr($username) . " AND realm = 2");
+ 
+-		if (!$user && read_config_option('user_template') == '0') {
+-			cacti_log("ERROR: User '" . $username . "' authenticated by Web Server, but a Template User is not defined in Cacti.  Exiting.", false, 'AUTH');
++		if (!$user && read_config_option('user_template') == '0' && read_config_option('guest_user') == '0') {
++			cacti_log("ERROR: User '" . $username . "' authenticated by Web Server, but both Template and Guest Users are not defined in Cacti.  Exiting.", false, 'AUTH');
++
+ 			$username = htmlspecialchars($username);
+-			auth_display_custom_error_message("$username authenticated by Web Server, but a Template User is not defined in Cacti.");
++			auth_display_custom_error_message("$username authenticated by Web Server, but a Template User and a Guest User are not defined in Cacti.");
+ 			exit;			
+ 		}
+ 
diff -Nru cacti-0.8.8b+dfsg/debian/patches/series cacti-0.8.8b+dfsg/debian/patches/series
--- cacti-0.8.8b+dfsg/debian/patches/series	2016-07-09 20:04:07.000000000 +0200
+++ cacti-0.8.8b+dfsg/debian/patches/series	2016-09-04 21:31:56.000000000 +0200
@@ -31,3 +31,4 @@
 CVE-2016-3172-sql-injection.patch
 CVE-2016-3659-sql-injection.patch
 CVE-2016-2313-authentication-bypass.patch
+CVE-2016-2313-guest-auth.patch

--- End Message ---
--- Begin Message --- 
Version: 8.6

The updates referred to in each of these bugs were included in today's
stable point release.

Regards,

Adam

--- End Message ---

Reply via email to