Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  NEWS  community  lists  Wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Mon, 18 May 2009 19:32:41 +0300
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com
Cc: Robert Buchholz <rbu@...too.org>
Subject: Re: CVE Request for cacti

On Mon, 18 May 2009 17:16:50 +0200
Robert Buchholz <rbu@...too.org> wrote:

> Hi Henri,
> 
> On Friday 15 May 2009, Henri Salo wrote:
> > I would like to obtain CVE identifier for security bug[1] in
> > cacti[2]. I beleive this version of cacti is still used in some
> > servers[3][4].
> >
> > 1: http://bugs.cacti.net/view.php?id=1245
> 
> The resolution indicates the bug had already been fixed at the time
> the bug was reported, thus implying it was a duplicate report of 
> CVE-2008-0783. The CVE-2008-0783 patch [1] explicitly validates 
> the 'action' variable as mentioned in the bug report.
> 
> However, the original poster reported the 0.8.6i-3.4 Debian revision
> as vulnerable and according to DSA 1569-2 [2], it should not have
> been.
> 
> Do you have any indication this is not covered by CVE-2008-0783?
> 
> 
> Robert
> 
> [1] 
> http://www.cacti.net/downloads/patches/0.8.7a/multiple_vulnerabilities-0.8.7a.patch
> [2]
> http://lists.debian.org/debian-security-announce/2008/msg00144.html

I tested this using Cacti from Etch with security updates (0.8.6i-3.5)
and it seems to be fixed. Good work.

---
Henri Salo

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ