Your message dated Sat, 17 Sep 2016 13:08:06 +0100
with message-id <1474114086.2011.126.ca...@adam-barratt.org.uk>
and subject line Closing p-u bugs for updates in 8.6
has caused the Debian Bug report #836700,
regarding jessie-pu: package cacti/0.8.8b+dfsg-8+deb8u6
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
836700: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=836700
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
The fix for CVE-2016-2313 in 0.8.8b+dfsg-8+deb8u5 was reported¹ to contain a
regression. The attached debdiff contains the reporters patch that was accepted
upstream to fix the issue.
Can I upload to jessie-proposed-updates?
¹ https://lists.debian.org/debian-lts/2016/07/msg00164.html
http://bugs.cacti.net/view.php?id=2697
- -- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing'), (60, 'unstable'), (50, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.6.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJXzIMJAAoJEJxcmesFvXUKbwwH/itoIFNHgzxJPhcRhPmfhqbc
dYR6ZP5KSppLFRO4JLLVRzfsgESXA/WwVIyuN1xQQD+j74LabDVFE8F4fRoojwG3
+iTd3KNOcOm3PCtFSlpI+lGlTV+aKb6rfIH7bBdo8wZSVOEAsarCxg0iIoRQdc4H
UdSikfNRtOQMTlMnVQfVtKIEMD0DwsbtfRZGfSqpq31uUkbR8/rIAdtqZRBiUcuE
Mgz4VdzC2SnRl6GazxWMWGPZ0VBcOCaq5d2AvfUxevGP+m3kPwLkd/LqmJLCBaGf
jQq+hsRBJ3x+SV2tyO0VD0P73r+1YOv5ztxlBRb8xZKi3w4kpQIH23NhrnHAxpY=
=Fm8h
-----END PGP SIGNATURE-----
diff -Nru cacti-0.8.8b+dfsg/debian/changelog cacti-0.8.8b+dfsg/debian/changelog
--- cacti-0.8.8b+dfsg/debian/changelog 2016-07-09 20:26:32.000000000 +0200
+++ cacti-0.8.8b+dfsg/debian/changelog 2016-09-04 21:38:05.000000000 +0200
@@ -1,3 +1,12 @@
+cacti (0.8.8b+dfsg-8+deb8u6) jessie-proposed-updates; urgency=medium
+
+ [ Emilio Pozuelo Monfort ]
+ * CVE-2016-2313-guest-auth.patch:
+ + Fix regression in the fix for CVE-2016-2313 that broke guest user
+ logins. Thanks to Matus Uhlar for the report.
+
+ -- Paul Gevers <elb...@debian.org> Sun, 04 Sep 2016 21:37:36 +0200
+
cacti (0.8.8b+dfsg-8+deb8u5) jessie-proposed-updates; urgency=medium
[ Emilio Pozuelo Monfort ]
diff -Nru cacti-0.8.8b+dfsg/debian/patches/CVE-2016-2313-guest-auth.patch cacti-0.8.8b+dfsg/debian/patches/CVE-2016-2313-guest-auth.patch
--- cacti-0.8.8b+dfsg/debian/patches/CVE-2016-2313-guest-auth.patch 1970-01-01 01:00:00.000000000 +0100
+++ cacti-0.8.8b+dfsg/debian/patches/CVE-2016-2313-guest-auth.patch 2016-09-04 21:31:56.000000000 +0200
@@ -0,0 +1,27 @@
+From 69983495cd41bf0903fe02baeef84b1fa85f2846 Mon Sep 17 00:00:00 2001
+From: cigamit <ji...@sqmail.org>
+Date: Sun, 14 Aug 2016 14:21:11 -0500
+Subject: [PATCH] fixing bug #2697
+
+web basic for guest accounts
+---
+ auth_login.php | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/auth_login.php
++++ b/auth_login.php
+@@ -86,10 +86,11 @@
+ /* Locate user in database */
+ $user = db_fetch_row("SELECT * FROM user_auth WHERE username = " . $cnn_id->qstr($username) . " AND realm = 2");
+
+- if (!$user && read_config_option('user_template') == '0') {
+- cacti_log("ERROR: User '" . $username . "' authenticated by Web Server, but a Template User is not defined in Cacti. Exiting.", false, 'AUTH');
++ if (!$user && read_config_option('user_template') == '0' && read_config_option('guest_user') == '0') {
++ cacti_log("ERROR: User '" . $username . "' authenticated by Web Server, but both Template and Guest Users are not defined in Cacti. Exiting.", false, 'AUTH');
++
+ $username = htmlspecialchars($username);
+- auth_display_custom_error_message("$username authenticated by Web Server, but a Template User is not defined in Cacti.");
++ auth_display_custom_error_message("$username authenticated by Web Server, but a Template User and a Guest User are not defined in Cacti.");
+ exit;
+ }
+
diff -Nru cacti-0.8.8b+dfsg/debian/patches/series cacti-0.8.8b+dfsg/debian/patches/series
--- cacti-0.8.8b+dfsg/debian/patches/series 2016-07-09 20:04:07.000000000 +0200
+++ cacti-0.8.8b+dfsg/debian/patches/series 2016-09-04 21:31:56.000000000 +0200
@@ -31,3 +31,4 @@
CVE-2016-3172-sql-injection.patch
CVE-2016-3659-sql-injection.patch
CVE-2016-2313-authentication-bypass.patch
+CVE-2016-2313-guest-auth.patch
--- End Message ---
--- Begin Message ---
Version: 8.6
The updates referred to in each of these bugs were included in today's
stable point release.
Regards,
Adam
--- End Message ---