|
Message-ID: <520A1BA8.30804@debian.org>
Date: Tue, 13 Aug 2013 13:42:32 +0200
From: Giuseppe Iuculano <iuculano@...ian.org>
To: Salvatore Bonaccorso <carnil@...ian.org>
CC: Vincent Danen <vdanen@...hat.com>,
Kurt Seifried <kseifried@...hat.com>,
team@...urity.debian.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: SQL injection and shell escaping
issues in Cacti < 0.8.8b
I confirm this.
Giuseppe.
On 07/08/2013 19:33, Salvatore Bonaccorso wrote:
>>> Could you wait a bit with assigning there CVEs? Giuseppe Iuculano from
>>> > >the Debian Security Team should have already assigned two CVEs to them
>>> > >(I'm putting him in the loop), but apparently upstream has not
>>> > >referenced them in the changelog. AFAICS the CVE assigned where:
>>> > >
>>> > >CVE-2013-1434 -> cacti_snmp_sql_injection_CVE-2013-1434.patch
>>> > >
>>> > >CVE-2013-1435 -> cacti_snmp_escape_string_CVE-2013-1435.patch and
>>> > >fix_quoting_in_rrd_command_CVE-2013-1435.patch
>>> > >
>>> > >I will search the mapping patchname -> svn commits and update you.
>> >
>> > Thanks for this, Salvatore. I'll wait for that mapping before
>> > referencing anything though.
> Apologies for the off-list posting, but I wanted to avoid some
> confusion! I have found the mapping which should be as follow:
>
> http://svn.cacti.net/viewvc?view=rev&revision=7392 -> cacti_snmp_escape_string_CVE-2013-1435.patch -> CVE-2013-1435
> http://svn.cacti.net/viewvc?view=rev&revision=7393 -> fix_quoting_in_rrd_command_CVE-2013-1435.patch -> CVE-2013-1435
> http://svn.cacti.net/viewvc?view=rev&revision=7394 -> cacti_snmp_sql_injection_CVE-2013-1434.patch -> CVE-2013-1434
>
> @Guiseppe, can you confirm?
Download attachment "signature.asc" of type "application/pgp-signature" (260 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.