cacti: multiple fixes (CVE-2014-2326 CVE-2014-2327 CVE-2014-2328 CVE-2014-2708 CVE-2014-2709 CVE-2014-4002)
Multiple issues have been fixed by vendor in the stable branch for cacti 0.8.8b.
CVE-2014-2326 Unspecified HTML Injection Vulnerability
CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
CVE-2014-2708 Unspecified SQL Injection Vulnerability
CVE-2014-2709 Unspecified Remote Command Execution Vulnerability
CONFIRM: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742768
CONFIRM: http://www.cacti.net/download\_patches.php
PATCHES: http://www.cacti.net/downloads/patches/0.8.8b/security.patch
Additional issues not yet fixed in the stable branch:
CVE-2014-2327:
Cross-site request forgery (CSRF) vulnerability in Cacti 0.8.7g, 0.8.8b,
and earlier allows remote attackers to hijack the authentication of
users for unspecified commands, as demonstrated by requests that (1)
modify binary files, (2) modify configurations, or (3) add arbitrary
users.
URL: http://www.securityfocus.com/archive/1/531588
CONFIRM: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742768
URL: http://www.securityfocus.com/bid/66392
CONFIRM: http://bugs.cacti.net/view.php?id=2432 (CVE-2014-2327, not yet
resolved by vendor in the stable branch)
CVE-2014-4002:
Cross-Site Scripting Vulnerability.
Architecture: source all
Urgency: high
Maintainer: Cacti Maintainer
<pkg-cacti-maint@lists.alioth.debian.org>
References:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752573
http://seclists.org/bugtraq/2014/Jun/166
SVN CHECKOUT: http://www.cacti.net/svn.php
CONFIRM: http://svn.cacti.net/viewvc?view=rev&revision=7451 (unstable
branch only yet)
CONFIRM: http://svn.cacti.net/viewvc?view=rev&revision=7452 (unstable
branch only yet)
(from redmine: issue id 3125, created on 2014-07-02, closed on 2014-07-07)
- Relations:
- child #3126 (closed)
- child #3127 (closed)
- child #3128 (closed)
- child #3129 (closed)