Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  NEWS  community  lists  Wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Mon, 18 May 2009 17:16:50 +0200
From: Robert Buchholz <rbu@...too.org>
To: oss-security@...ts.openwall.com
Cc: Henri Salo <henri@...v.fi>,
 coley@...us.mitre.org
Subject: Re: CVE Request for cacti

Hi Henri,

On Friday 15 May 2009, Henri Salo wrote:
> I would like to obtain CVE identifier for security bug[1] in
> cacti[2]. I beleive this version of cacti is still used in some
> servers[3][4].
>
> 1: http://bugs.cacti.net/view.php?id=1245

The resolution indicates the bug had already been fixed at the time the 
bug was reported, thus implying it was a duplicate report of 
CVE-2008-0783. The CVE-2008-0783 patch [1] explicitly validates 
the 'action' variable as mentioned in the bug report.

However, the original poster reported the 0.8.6i-3.4 Debian revision as 
vulnerable and according to DSA 1569-2 [2], it should not have been.

Do you have any indication this is not covered by CVE-2008-0783?


Robert

[1] 
http://www.cacti.net/downloads/patches/0.8.7a/multiple_vulnerabilities-0.8.7a.patch
[2] http://lists.debian.org/debian-security-announce/2008/msg00144.html


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux Powered by OpenVZ Bookmark and Share