> How did you generate these? Did you test the patched packages?
By looking at upstream svn changes i can modify debian sources easily.
Yes, i tested it.
> When submitting, can you remove this from the debdiff?
Yup
> One last thing, cacti on lucid has several other open CVEs:
CVE-2010-1644, CVE-2010-1645, CVE-2010-2543, CVE-2010-2544 and
CVE-2010-2545. Do you plan on providing patches for these as well? If
so, please update the debdiff to include these as well. Thanks again!
CVE's as mention in above has been resolved in 0.8.7e-2ubuntu0.1 by Brian
Thomson. Here is changelog in 0.8.7e-2ubuntu0.1:
cacti (0.8.7e-2ubuntu0.1) lucid-security; urgency=low
* SECURITY UPDATE: Fix SQL injection vulnerability in templates_export.php
(LP: #599892)
- debian/patches/CVE-2010-1431.patch: patch derived from upstream patch
- CVE-2010-1431
* SECURITY UPDATE: Fix cross-site scripting (XSS) vulnerabilities
- debian/patches/CVE-2010-1644.patch: patch derived from upstream patch
- CVE-2010-1644
* SECURITY UPDATE: Fix arbitrary command execution vuln
- debian/patches/CVE-2010-1645.patch: patch derived from upstream patches
- CVE-2010-1645
* SECURITY UPDATE: Fix a SQL injection vulnerability in graph.php
- debian/patches/CVE-2010-2092.patch: patch derived from Debian patch
- CVE-2010-2092
- DSA-2060
* SECURITY UPDATE: Fix cross-site scripting (XSS) vulnerabilities
- debian/patches/CVE-2010-2543.patch: patch derived from upstream patches
- CVE-2010-2543
- CVE-2010-2544
- CVE-2010-2545
-- Brian Thomason <[email protected]> Mon, 24 Jan 2011
11:20:13 -0500
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2010-1431
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2010-2092
** Patch added: "patch for lucid w/o po files"
https://bugs.launchpad.net/ubuntu/+source/cacti/+bug/906773/+attachment/2641355/+files/cacti_0.8.7e-2ubuntu0.2.dsc.debdiff
** Changed in: cacti (Ubuntu Lucid)
Status: Incomplete => New
** Changed in: cacti (Ubuntu Maverick)
Status: Incomplete => New
** Changed in: cacti (Ubuntu Natty)
Status: Incomplete => New
** Changed in: cacti (Ubuntu Oneiric)
Status: Incomplete => New
** Changed in: cacti (Ubuntu Lucid)
Assignee: Mahyuddin Susanto (udienz) => (unassigned)
** Changed in: cacti (Ubuntu Maverick)
Assignee: Mahyuddin Susanto (udienz) => (unassigned)
** Changed in: cacti (Ubuntu Natty)
Assignee: Mahyuddin Susanto (udienz) => (unassigned)
** Changed in: cacti (Ubuntu Oneiric)
Assignee: Mahyuddin Susanto (udienz) => (unassigned)
** Attachment removed: "cacti_lucid-security.debdiff"
https://bugs.launchpad.net/ubuntu/+source/cacti/+bug/906773/+attachment/2640974/+files/cacti_lucid-security.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/906773
Title:
CVE-2011-4824 SQL injection issue in auth_login.php
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cacti/+bug/906773/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
