Date: Mon, 18 May 2009 19:32:41 +0300 From: Henri Salo <henri@...v.fi> To: oss-security@...ts.openwall.com Cc: Robert Buchholz <rbu@...too.org> Subject: Re: CVE Request for cacti On Mon, 18 May 2009 17:16:50 +0200 Robert Buchholz <rbu@...too.org> wrote: > Hi Henri, > > On Friday 15 May 2009, Henri Salo wrote: > > I would like to obtain CVE identifier for security bug in > > cacti. I beleive this version of cacti is still used in some > > servers. > > > > 1: http://bugs.cacti.net/view.php?id=1245 > > The resolution indicates the bug had already been fixed at the time > the bug was reported, thus implying it was a duplicate report of > CVE-2008-0783. The CVE-2008-0783 patch  explicitly validates > the 'action' variable as mentioned in the bug report. > > However, the original poster reported the 0.8.6i-3.4 Debian revision > as vulnerable and according to DSA 1569-2 , it should not have > been. > > Do you have any indication this is not covered by CVE-2008-0783? > > > Robert > >  > http://www.cacti.net/downloads/patches/0.8.7a/multiple_vulnerabilities-0.8.7a.patch >  > http://lists.debian.org/debian-security-announce/2008/msg00144.html I tested this using Cacti from Etch with security updates (0.8.6i-3.5) and it seems to be fixed. Good work. --- Henri Salo
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.