1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 1954-1] New cacti packages fix insufficient input sanit

    From Steffen Joeris@1:229/2 to All on Wed Dec 16 12:50:01 2009
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - ------------------------------------------------------------------------ Debian Security Advisory DSA-1954-1 [email protected] http://www.debian.org/security/ Steffen Joeris
    December 16, 2009 http://www.debian.org/security/faq
    - ------------------------------------------------------------------------

    Package : cacti
    Vulnerability : insufficient input sanitising
    Problem type : remote
    Debian-specific: no
    CVE Ids : CVE-2007-3112 CVE-2007-3113 CVE-2009-4032
    Debian Bugs : 429224

    Several vulnerabilities have been found in cacti, a frontend to rrdtool
    for monitoring systems and services. The Common Vulnerabilities and
    Exposures project identifies the following problems:

    CVE-2007-3112, CVE-2007-3113

    It was discovered that cacti is prone to a denial of service via the graph_height, graph_width, graph_start and graph_end parameters.
    This issue only affects the oldstable (etch) version of cacti.

    CVE-2009-4032

    It was discovered that cacti is prone to several cross-site scripting
    attacks via different vectors.

    CVE-2009-4112

    It has been discovered that cacti allows authenticated administrator
    users to gain access to the host system by executing arbitrary commands
    via the "Data Input Method" for the "Linux - Get Memory Usage" setting.

    There is no fix for this issue at this stage. Upstream will implement a whitelist policy to only allow certain "safe" commands. For the moment,
    we recommend that such access is only given to trusted users and that
    the options "Data Input" and "User Administration" are otherwise
    deactivated.


    For the oldstable distribution (etch), these problems have been fixed in version 0.8.6i-3.6.

    For the stable distribution (lenny), this problem has been fixed in
    version 0.8.7b-2.1+lenny1.

    For the testing distribution (squeeze), this problem will be fixed soon.

    For the unstable distribution (sid), this problem has been fixed in
    version 0.8.7e-1.1.


    We recommend that you upgrade your cacti packages.

    Upgrade instructions
    - --------------------

    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.


    Debian GNU/Linux 4.0 alias etch
    - -------------------------------

    Debian (oldstable)
    - ------------------

    Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

    Source archives:

    http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6i.orig.tar.gz
    Size/MD5 checksum: 1122700 341b5828d95db91f81f5fbba65411d63
    http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6i-3.6.diff.gz
    Size/MD5 checksum: 38419 4ee9e373817ebc32297e1c3de8fee10d
    http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6i-3.6.dsc
    Size/MD5 checksum: 590 bb8fb25c6db1cd6a2a785f879943d969

    Architecture independent packages:

    http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6i-3.6_all.deb
    Size/MD5 checksum: 962816 9093e9f9abaa6c3dbbedad24cc1d4f7e


    Debian GNU/Linux 5.0 alias lenny
    - --------------------------------

    Debian (stable)
    - ---------------

    Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

    Source archives:

    http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b.orig.tar.gz
    Size/MD5 checksum: 1972444 aa8a740a6ab88e3634b546c3e1bc502f
    http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+lenny1.diff.gz
    Size/MD5 checksum: 37232 04459452593e23c5e837920cfd0f1789
    http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+lenny1.dsc
    Size/MD5 checksum: 1117 d67349656ce9514266e7d5d2f378a219

    Architecture independent packages:

    http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+lenny1_all.deb
    Size/MD5 checksum: 1847182 3876f128fdcc2aefa63d65531875d2ab


    These files will probably be moved into the stable distribution on
    its next update.

    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: [email protected]
    Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.10 (GNU/Linux)

    iEYEARECAAYFAksoyH0ACgkQ62zWxYk/rQfXGwCeKMeQqicZ/LayzFqXznC2W0is EG8AoLUxcdouXG/aTvqnfKJyWZtpA9TM
    =CLbl
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)