Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 18 May 2009 19:32:41 +0300
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com
Cc: Robert Buchholz <rbu@...too.org>
Subject: Re: CVE Request for cacti

On Mon, 18 May 2009 17:16:50 +0200
Robert Buchholz <rbu@...too.org> wrote:

> Hi Henri,
> 
> On Friday 15 May 2009, Henri Salo wrote:
> > I would like to obtain CVE identifier for security bug[1] in
> > cacti[2]. I beleive this version of cacti is still used in some
> > servers[3][4].
> >
> > 1: http://bugs.cacti.net/view.php?id=1245
> 
> The resolution indicates the bug had already been fixed at the time
> the bug was reported, thus implying it was a duplicate report of 
> CVE-2008-0783. The CVE-2008-0783 patch [1] explicitly validates 
> the 'action' variable as mentioned in the bug report.
> 
> However, the original poster reported the 0.8.6i-3.4 Debian revision
> as vulnerable and according to DSA 1569-2 [2], it should not have
> been.
> 
> Do you have any indication this is not covered by CVE-2008-0783?
> 
> 
> Robert
> 
> [1] 
> http://www.cacti.net/downloads/patches/0.8.7a/multiple_vulnerabilities-0.8.7a.patch
> [2]
> http://lists.debian.org/debian-security-announce/2008/msg00144.html

I tested this using Cacti from Etch with security updates (0.8.6i-3.5)
and it seems to be fixed. Good work.

---
Henri Salo

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.