[Git][security-tracker-team/security-tracker][master] Reserve DLA-2965-1 for cacti

Tue, 29 Mar 2022 13:41:21 -0700 


Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7c9280cd by Sylvain Beucler at 2022-03-29T22:40:54+02:00
Reserve DLA-2965-1 for cacti

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -30841,7 +30841,6 @@ CVE-2021-26247 (As an unauthenticated remote user, 
visit "http://<CACTI_SERVE
        NOTE: Fixed by: 
https://github.com/Cacti/cacti/commit/2b8097c06030ab72c5b3bdadb23dceb5332f0e94 
(1.2.0-beta1)
 CVE-2021-23225 (Cacti 1.1.38 allows authenticated users with User Management 
permissio ...)
        - cacti 1.2.1+ds1-1
-       [stretch] - cacti <postponed> (Minor issue; stored XSS requires prior 
admin access)
        NOTE: https://github.com/Cacti/cacti/issues/1882
        NOTE: overlap with CVE-2020-7106 (registered earlier, but issue above 
is from 2018) which refactors user_admin.php XSS protection
        NOTE: input (not output) validation not addressed, malicious username 
still can be created after fix
@@ -111785,7 +111784,6 @@ CVE-2020-23227
 CVE-2020-23226 (Multiple Cross Site Scripting (XSS) vulneratiblities exist in 
Cacti 1. ...)
        - cacti 1.2.13+ds1-1
        [buster] - cacti <no-dsa> (Minor issues)
-       [stretch] - cacti <no-dsa> (Minor issues; also requires semi-intrusive 
change to be backported)
        NOTE: https://github.com/Cacti/cacti/issues/3549
        NOTE: 
https://github.com/Cacti/cacti/commit/8d5fbc48debddc91a66b5aed877060566c6b6232 
(1.2.13)
        NOTE: 
https://github.com/Cacti/cacti/commit/74c011ba8635902713c530ded90bc0a045ca461d 
(1.2.13)
@@ -135039,7 +135037,6 @@ CVE-2020-13231 (In Cacti before 1.2.11, 
auth_profile.php?action=edit allows CSRF
 CVE-2020-13230 (In Cacti before 1.2.11, disabling a user account does not 
immediately  ...)
        - cacti 1.2.11+ds1-1
        [buster] - cacti 1.2.2+ds1-2+deb10u3
-       [stretch] - cacti <no-dsa> (Minor issue, Partial patch 
https://people.debian.org/~abhijith/upload/CVE-2020-13230.patch)
        NOTE: https://github.com/Cacti/cacti/issues/3343
 CVE-2020-13229 (An issue was discovered in Sysax Multi Server 6.90. A session 
can be h ...)
        NOT-FOR-US: Sysax Multi Server
@@ -152106,7 +152103,6 @@ CVE-2020-7106 (Cacti 1.2.8 has stored XSS in 
data_sources.php, color_templates_i
        {DLA-2069-1}
        - cacti 1.2.9+ds1-1 (bug #949996)
        [buster] - cacti 1.2.2+ds1-2+deb10u3
-       [stretch] - cacti <postponed> (can be fixed along with more important 
issues)
        NOTE: https://github.com/Cacti/cacti/issues/3191
        NOTE: 
https://github.com/Cacti/cacti/commit/4cbb045e03ee20a2bd09094a201a925fbb8a39d9
        NOTE: 
https://github.com/Cacti/cacti/commit/47a000b5aba4af16967e249b25f25397506e3464
@@ -196488,7 +196484,6 @@ CVE-2019-11026 (FontInfoScanner::scanFonts in 
FontInfo.cc in Poppler 0.75.0 has
 CVE-2019-11025 (In clearFilter() in utilities.php in Cacti before 1.2.3, no 
escaping o ...)
        {DLA-1757-1}
        - cacti 1.2.2+ds1-2 (low; bug #926700)
-       [stretch] - cacti <no-dsa> (Minor issue)
        NOTE: https://github.com/Cacti/cacti/issues/2581
        NOTE: 
https://github.com/Cacti/cacti/commit/c373e66a6a224e221a1db037164144ce59b20736 
(v1.2.3)
 CVE-2019-11024 (The load_pnm function in frompnm.c in libsixel.a in libsixel 
1.8.2 has ...)
@@ -253380,7 +253375,6 @@ CVE-2018-10074 (The hi3660_stub_clk_probe function in 
drivers/clk/hisilicon/clk-
        NOTE: Fixed by: 
https://git.kernel.org/linus/9903e41ae1f5d50c93f268ca3304d4d7c64b9311 (4.16-rc7)
 CVE-2018-10061 (Cacti before 1.1.37 has XSS because it makes certain 
htmlspecialchars  ...)
        - cacti 1.1.37+ds1-1 (low)
-       [stretch] - cacti <no-dsa> (Minor issue)
        [jessie] - cacti <no-dsa> (Minor issue)
        [wheezy] - cacti <no-dsa> (Minor issue)
        NOTE: https://github.com/Cacti/cacti/issues/1457
@@ -253392,7 +253386,6 @@ CVE-2018-10061 (Cacti before 1.1.37 has XSS because 
it makes certain htmlspecial
        NOTE: 
https://github.com/Cacti/cacti/commit/3a76892c178e27ce6e7189fd0ba17581f91154e8 
(v1.1.37)
 CVE-2018-10060 (Cacti before 1.1.37 has XSS because it does not properly 
reject uninte ...)
        - cacti 1.1.37+ds1-1 (low)
-       [stretch] - cacti <no-dsa> (Minor issue)
        [jessie] - cacti <no-dsa> (Minor issue)
        [wheezy] - cacti <no-dsa> (Minor issue)
        NOTE: https://github.com/Cacti/cacti/issues/1457


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[29 Mar 2022] DLA-2965-1 cacti - security update
+       {CVE-2018-10060 CVE-2018-10061 CVE-2019-11025 CVE-2020-7106 
CVE-2020-13230 CVE-2020-23226 CVE-2021-23225 CVE-2022-0730}
+       [stretch] - cacti 0.8.8h+ds1-10+deb9u2
 [29 Mar 2022] DLA-2964-1 libdatetime-timezone-perl - new upstream version
        [stretch] - libdatetime-timezone-perl 1:2.09-1+2022a
 [29 Mar 2022] DLA-2963-1 tzdata - new timezone database


=====================================
data/dla-needed.txt
=====================================
@@ -24,9 +24,6 @@ asterisk (Abhijith PA)
   NOTE: 20220314: Looking on back log no-dsa (abhijith)
   NOTE: 20220322: 
https://people.debian.org/~abhijith/upload/vda/asterisk_13.14.1~dfsg-2+deb9u6.dsc
 (abhijith)
 --
-cacti (Sylvain Beucler)
-  NOTE: 20220321: checking postponed vulnerabilities
---
 condor
 --
 firmware-nonfree



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7c9280cd5368da368597f3bcbd5c51f98663df33

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7c9280cd5368da368597f3bcbd5c51f98663df33
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to