Author: pawelz Date: Fri May 7 11:38:21 2010 GMT Module: packages Tag: HEAD ---- Log message: - added sql_injection_template_export.patch. Resolves: CVE-2010-1431 - rel 11
---- Files affected: packages/cacti: cacti.spec (1.122 -> 1.123) , sql_injection_template_export.patch (NONE -> 1.1) (NEW) ---- Diffs: ================================================================ Index: packages/cacti/cacti.spec diff -u packages/cacti/cacti.spec:1.122 packages/cacti/cacti.spec:1.123 --- packages/cacti/cacti.spec:1.122 Wed Apr 14 23:49:06 2010 +++ packages/cacti/cacti.spec Fri May 7 13:38:15 2010 @@ -4,7 +4,7 @@ Summary(pl.UTF-8): Cacti - frontend w PHP do rrdtoola Name: cacti Version: 0.8.7e -Release: 10 +Release: 11 License: GPL Group: Applications/WWW Source0: http://www.cacti.net/downloads/%{name}-%{version}.tar.gz @@ -20,6 +20,7 @@ Patch102: http://www.cacti.net/downloads/patches/0.8.7e/template_duplication.patch Patch103: http://www.cacti.net/downloads/patches/0.8.7e/fix_icmp_on_windows_iis_servers.patch Patch104: http://www.cacti.net/downloads/patches/0.8.7e/cross_site_fix.patch +Patch105: http://www.cacti.net/downloads/patches/0.8.7e/sql_injection_template_export.patch # http://cactiusers.org/wiki/PluginArchitectureInstall # http://mirror.cactiusers.org/downloads/plugins/cacti-plugin-0.8.7e-PA-v2.6.zip Patch0: %{name}-PA.patch @@ -124,6 +125,7 @@ %patch102 -p1 %patch103 -p1 %patch104 -p1 +%patch105 -p1 %patch0 -p1 %patch1 -p1 %patch2 -p1 @@ -274,6 +276,10 @@ All persons listed below can be reached at <cvs_login>@pld-linux.org $Log$ +Revision 1.123 2010/05/07 11:38:15 pawelz +- added sql_injection_template_export.patch. Resolves: CVE-2010-1431 +- rel 11 + Revision 1.122 2010/04/14 21:49:06 glen - worked fine for years without gd ext; rel 10 ================================================================ Index: packages/cacti/sql_injection_template_export.patch diff -u /dev/null packages/cacti/sql_injection_template_export.patch:1.1 --- /dev/null Fri May 7 13:38:21 2010 +++ packages/cacti/sql_injection_template_export.patch Fri May 7 13:38:15 2010 @@ -0,0 +1,13 @@ +--- cacti-0.8.7e/templates_export.php 2009-06-28 12:07:11.000000000 -0400 ++++ cacti-fixed/templates_export.php 2010-04-17 14:08:42.000000000 -0400 +@@ -49,6 +49,10 @@ + function form_save() { + global $export_types; + ++ /* ================= input validation ================= */ ++ input_validate_input_number(get_request_var_post("export_item_id")); ++ /* ==================================================== */ ++ + if (isset($_POST["save_component_export"])) { + $xml_data = get_item_xml($_POST["export_type"], $_POST["export_item_id"], (((isset($_POST["include_deps"]) ? $_POST["include_deps"] : "") == "") ? false : true)); + ================================================================ ---- CVS-web: http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/cacti/cacti.spec?r1=1.122&r2=1.123&f=u _______________________________________________ pld-cvs-commit mailing list [email protected] http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit
