Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE Request for cacti
From: Robert Buchholz <rbu () gentoo org>
Date: Mon, 18 May 2009 17:16:50 +0200

Hi Henri,

On Friday 15 May 2009, Henri Salo wrote:
I would like to obtain CVE identifier for security bug[1] in
cacti[2]. I beleive this version of cacti is still used in some
servers[3][4].

1: http://bugs.cacti.net/view.php?id=1245

The resolution indicates the bug had already been fixed at the time the 
bug was reported, thus implying it was a duplicate report of 
CVE-2008-0783. The CVE-2008-0783 patch [1] explicitly validates 
the 'action' variable as mentioned in the bug report.

However, the original poster reported the 0.8.6i-3.4 Debian revision as 
vulnerable and according to DSA 1569-2 [2], it should not have been.

Do you have any indication this is not covered by CVE-2008-0783?


Robert

[1] 
http://www.cacti.net/downloads/patches/0.8.7a/multiple_vulnerabilities-0.8.7a.patch
[2] http://lists.debian.org/debian-security-announce/2008/msg00144.html

Attachment: signature.asc
Description: This is a digitally signed message part.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault