Hi, As the maintainer of Cacti in Debian, I received [1] your security report [2] on Cacti yesterday. I have several questions.
I didn't see any public communication with the upstream maintainers, so I assume it was done in private. After releasing your CVE numbers, wouldn't it been nice to report the issues also in the bug tracker of cacti, so that contributors could maybe help? I find your report rather vague, for one because it talks about an old version of cacti (current version is 0.8.8b). How is e.g. CVE-2014-2326 different than (the already fixed) CVE-2013-5588, CVE-2010-2545, CVE-2010-2544 and CVE-2010-2543? Could you please explain if you found new issues? Maybe just explicitly stating the issues you found? Furthermore, with the current description I hardly see a difference between CVE-2014-2328 and the (unresolved) CVE-2009-4112? To me it seems you have a new point with CVE-2014-2327 though. Paul Gevers. Debian Cacti maintainer. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742768 [2] http://www.securityfocus.com/archive/1/531588
signature.asc
Description: OpenPGP digital signature
