Bug 834464 - (CVE-2013-1434) VUL-0: CVE-2013-1434 CVE-2013-1435: cacti: SQL injection and shell escaping issues fixed in 0.8.8b
(CVE-2013-1434)
VUL-0: CVE-2013-1434 CVE-2013-1435: cacti: SQL injection and shell escaping i...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Stephan Kleine
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-12 15:13 UTC by Marcus Meissner
Modified: 2014-04-13 19:51 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-08-12 15:13:12 UTC
public via older updates and via redhat

https://bugzilla.redhat.com/show_bug.cgi?id=994616

CVE-2013-1434 CVE-2013-1435

Cacti 0.8.8b was released [1] which includes a security fix for "SQL injection and shell escaping issues".

[1] http://sourceforge.net/mailarchive/message.php?msg_id=31258868


cacti lives in openSUSE 12.2-factory, cc all maintainers as there is no specific bugpowner


Please note that a regression was spotted too:

Hi Kurt

The fix for CVE-2013-1435[1] introduced a regression:

 [1] http://svn.cacti.net/viewvc?view=rev&revision=7393

It was reported in [2] and upstream proposed a fix [3] which was
confirmed to work by two of the involved people.

 [2] http://sourceforge.net/mailarchive/message.php?msg_id=31262707
 [3] http://sourceforge.net/mailarchive/message.php?msg_id=31262712

The corresponding svn commits should be the following:

 [4] http://svn.cacti.net/viewvc?view=rev&revision=7408
 [5] http://svn.cacti.net/viewvc?view=rev&revision=7409
 [6] http://svn.cacti.net/viewvc?view=rev&revision=7413
Comment 1 Swamp Workflow Management 2013-08-12 22:00:10 UTC
bugbot adjusting priority
Comment 2 Joop Boonen 2013-08-13 09:18:08 UTC
Created a fixed package version
mr#186874
Comment 3 Joop Boonen 2013-08-13 09:31:43 UTC
For openSUSE 12.3
mr#186911
Comment 4 Bernhard Wiedemann 2013-08-13 10:00:13 UTC
This is an autogenerated message for OBS integration:
This bug (834464) was mentioned in
https://build.opensuse.org/request/show/186874 Maintenance / 
https://build.opensuse.org/request/show/186911 Maintenance /
Comment 5 Swamp Workflow Management 2013-08-23 13:05:12 UTC
openSUSE-SU-2013:1377-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 834464
CVE References: CVE-2013-1434,CVE-2013-1435
Sources used:
openSUSE 12.3 (src):    cacti-0.8.8b-5.4.1
openSUSE 12.2 (src):    cacti-0.8.8b-2.4.1
Comment 6 Aeneas Jaißle 2014-04-13 19:51:09 UTC
Fixed, packages found their way into the update repositories.