Date: Mon, 18 May 2009 19:32:41 +0300 From: Henri Salo <henri@...v.fi> To: oss-security@...ts.openwall.com Cc: Robert Buchholz <rbu@...too.org> Subject: Re: CVE Request for cacti On Mon, 18 May 2009 17:16:50 +0200 Robert Buchholz <rbu@...too.org> wrote: > Hi Henri, > > On Friday 15 May 2009, Henri Salo wrote: > > I would like to obtain CVE identifier for security bug in > > cacti. I beleive this version of cacti is still used in some > > servers. > > > > 1: http://bugs.cacti.net/view.php?id=1245 > > The resolution indicates the bug had already been fixed at the time > the bug was reported, thus implying it was a duplicate report of > CVE-2008-0783. The CVE-2008-0783 patch  explicitly validates > the 'action' variable as mentioned in the bug report. > > However, the original poster reported the 0.8.6i-3.4 Debian revision > as vulnerable and according to DSA 1569-2 , it should not have > been. > > Do you have any indication this is not covered by CVE-2008-0783? > > > Robert > >  > http://www.cacti.net/downloads/patches/0.8.7a/multiple_vulnerabilities-0.8.7a.patch >  > http://lists.debian.org/debian-security-announce/2008/msg00144.html I tested this using Cacti from Etch with security updates (0.8.6i-3.5) and it seems to be fixed. Good work. --- Henri Salo
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ