Hi Salvatore, On 10-02-16 19:05, Salvatore Bonaccorso wrote: > CVE-2016-2313[0]: > |Authentication using web authentication as a user not in the cacti > |database allows complete access > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
As I already mentioned in your ref [1], I don't believe this is in general true. It is my believe that the reporter opened the access actively and just forgot about it. Unfortunately, neither the reporter nor upstream responded to my request. Because there is lots of code that actually is meant for the situation where there is no user in the cacti database yet, I believe that "fixing" this CVE is causing (serious?) regression for some users, while fixing no real issue. How to handle this situation? > [1] http://bugs.cacti.net/view.php?id=2656 > [2] http://svn.cacti.net/viewvc?view=rev&revision=7770 Paul
signature.asc
Description: OpenPGP digital signature
