More releases happened... list of open items (since 12.04): cacti (0.8.8b+dfsg-8+deb8u1) jessie-security; urgency=high
* Security update - CVE-2015-2665 Cross-site scripting (XSS) vulnerability in Cacti before 0.8.8d allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. - CVE-2015-4342 SQL Injection and Location header injection from cdef id - CVE-2015-4454 SQL injection vulnerability in the get_hash_graph_template function in lib/functions.php in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via the graph_template_id parameter to graph_templates.php. - Unassigned CVE SQL injection VN:JVN#78187936 / TN:JPCERT#98968540 -- Paul Gevers <elb...@debian.org> Mon, 22 Jun 2015 20:55:59 +0200 cacti (0.8.8b+dfsg-8) unstable; urgency=high * CVE-2014-5261 Unsufficient input sanitation leads to shell command injection possibilities * CVE-2014-5262 Incomplete and incorrect input parsing leads to SQL injection attack scenarios * Fix for CVE-2014-5043 was incomplete, improve patch * Change CVE-2014-4002 patch to include upstream updated commits -- Paul Gevers <elb...@debian.org> Mon, 18 Aug 2014 19:57:43 +0200 cacti (0.8.8b+dfsg-7) unstable; urgency=medium * Fix regression caused by fixing CVE-2014-4002 at least plugin autom8 was unusable (Closes: #755032) * Security update - CVE-2014-5025 Cross Site Scripting Vulnerability - CVE-2014-5026 Cross Site Scripting Vulnerability - CVE-2014-5043 Cross Site Scripting Vulnerability -- Paul Gevers <elb...@debian.org> Thu, 24 Jul 2014 21:56:48 +0200 cacti (0.8.8b+dfsg-6) unstable; urgency=high * Add alternative php5-mysql | php5-mysqlnd (Closes: #744067) * Security update (Closes: #742768, #752573) - CVE-2014-2327 Cross Site Request Forgery Vulnerability - CVE-2014-4002 Cross-Site Scripting Vulnerability -- Paul Gevers <elb...@debian.org> Wed, 25 Jun 2014 22:33:53 +0200 cacti (0.8.8b+dfsg-5) unstable; urgency=high * Fix postinst for lighttpd setups which fail on update due to lighty-enable-mod exiting with non-zero if config is already loaded (Closes: 743727) -- Paul Gevers <elb...@debian.org> Sun, 06 Apr 2014 19:59:12 +0200 cacti (0.8.8b+dfsg-4) unstable; urgency=high * Security update (Closes: 743565) - CVE-2014-2326 Cross-site scripting (XSS) vulnerability - CVE-2014-2328 Unspecified Remote Command Execution Vulnerability - CVE-2014-2708 SQL injection - CVE-2014-2709 Unspecified Remote Command Execution Vulnerability * Bump standards (no changes needed) * Fix VCS-Browser field * Fix license paragraph of jstree (Thanks lintian) -- Paul Gevers <elb...@debian.org> Sat, 05 Apr 2014 13:03:22 +0200 cacti (0.8.8b+dfsg-3) unstable; urgency=low * Fix Cross site scripting (upstream bug 2383) CVE-2013-5588 * Fix SQL injection in host.php (upstream bug 2383) CVE-2013-5589 * Fix upgrade script in cli directory for latest releases * Automatically upgrade database during package update (prevents upstream bug 2377) * The code to enable lighttpd configuration from LP: #1132415 was broken -- Paul Gevers <elb...@debian.org> Tue, 27 Aug 2013 20:43:21 +0200 ** Summary changed: - Please import 0.8.8b+dfsg-2 from Debian and backport security fixes to 12.04 LTS + Please backport security fixes to 12.04 LTS ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2015-2665 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2015-4342 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2015-4454 ** Summary changed: - Please backport security fixes to 12.04 LTS + Please backport cacti security fixes ** Also affects: cacti (Ubuntu Vivid) Importance: Undecided Status: New ** Also affects: cacti (Ubuntu Precise) Importance: Undecided Status: New ** Also affects: cacti (Ubuntu Utopic) Importance: Undecided Status: New ** Also affects: cacti (Ubuntu Trusty) Importance: Undecided Status: New ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2013-5588 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2013-5589 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2014-2326 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2014-2327 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2014-2328 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2014-2708 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2014-2709 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2014-4002 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2014-5025 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2014-5026 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2014-5043 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2014-5261 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2014-5262 ** Changed in: cacti (Ubuntu Precise) Assignee: (unassigned) => Paul Gevers (paul-climbing) ** Changed in: cacti (Ubuntu Trusty) Assignee: (unassigned) => Paul Gevers (paul-climbing) ** Changed in: cacti (Ubuntu Utopic) Assignee: (unassigned) => Paul Gevers (paul-climbing) ** Changed in: cacti (Ubuntu Vivid) Assignee: (unassigned) => Paul Gevers (paul-climbing) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1210822 Title: Please backport cacti security fixes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cacti/+bug/1210822/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs