[SECURITY] [DSA 764-1] New cacti packages fix several vulnerabilities

From: Martin Schulze (joey_at_infodrom.org)
Date: 07/21/05

  • Next message: foster_at_ghc.ru: "Re: PHPNews SQL injection vulnerability"
    Date: Thu, 21 Jul 2005 07:53:41 +0200 (CEST)
    To: bugtraq@securityfocus.com

    Hash: SHA1

    - --------------------------------------------------------------------------
    Debian Security Advisory DSA 764-1 security@debian.org
    http://www.debian.org/security/ Martin Schulze
    July 21st, 2005 http://www.debian.org/security/faq
    - --------------------------------------------------------------------------

    Package : cacti
    Vulnerability : several
    Problem-Type : remote
    Debian-specific: no
    CVE IDs : CAN-2005-1524 CAN-2005-1525 CAN-2005-1526 CAN-2005-2148 CAN-2005-2149
    Debian Bug : 316590 315703

    Several vulnerabilities have been discovered in cacti, a round-robin
    database (RRD) tool that helps create graphs from database
    information. The Common Vulnerabilities and Exposures Project
    identifies the following problems:


        Maciej Piotr Falkiewicz and an anonymous researcher discovered an
        input validation bug that allows an attacker to include arbitrary
        PHP code from remote sites which will allow the execution of
        arbitrary code on the server running cacti.


        Due to mising input validation cacti allows a remote attacker to
        insert arbitrary SQL statements.


        Maciej Piotr Falkiewicz discovered an input validation bug that
        allows an attacker to include arbitrary PHP code from remote sites
        which will allow the execution of arbitrary code on the server
        running cacti.


        Stefan Esser discovered that the update for the abovely mentioned
        vulnerabilities does not perform proper input validation to
        protect against common attacks.


        Stefan Esser discovered that the update for CAN-2005-1525 allows
        remote attackers to modify session information to gain privileges
        and disable the use of addslashes to protect against SQL

    For the old stable distribution (woody) these problems have been fixed in
    version 0.6.7-2.5.

    For the stable distribution (sarge) these problems have been fixed in
    version 0.8.6c-7sarge2.

    For the unstable distribution (sid) these problems have been fixed in
    version 0.8.6e-1.

    We recommend that you upgrade your cacti package.

    Upgrade Instructions
    - --------------------

    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.

    If you are using the apt-get package manager, use the line for
    sources.list as given below:

    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages

    You may use an automated update by adding the resources from the
    footer to the proper configuration.

    Debian GNU/Linux 3.0 alias woody
    - --------------------------------

      Source archives:

          Size/MD5 checksum: 565 ca9cffd44ea6e8235005ce8e066fb88e
          Size/MD5 checksum: 25286 18aad674e7ef91dafb11af9a02c677d7
          Size/MD5 checksum: 206608 b004ac1ca1dd18737f0fa685fe18737c

      Architecture independent components:

          Size/MD5 checksum: 212418 ae47dc9aeb1820c5074fc39c5b6c84bc

    Debian GNU/Linux 3.1 alias sarge
    - --------------------------------

      Source archives:

          Size/MD5 checksum: 595 50f791f80662a02e982e82e4be7e59b5
          Size/MD5 checksum: 42575 a9959e2d720a6f7188c5713494b9eaaa
          Size/MD5 checksum: 1046586 b4130300f671e773ebea3b8f715912c1

      Architecture independent components:

          Size/MD5 checksum: 1058544 2b5fe2ca0dc11a199c20f5bf7b3aa7ee

      These files will probably be moved into the stable distribution on
      its next update.

    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: debian-security-announce@lists.debian.org
    Package info: `apt-cache show <pkg>' and http://packages.debian.org/>

    Version: GnuPG v1.4.1 (GNU/Linux)

    -----END PGP SIGNATURE-----

  • Next message: foster_at_ghc.ru: "Re: PHPNews SQL injection vulnerability"

    Relevant Pages