[Bug 1210822] Re: Please import 0.8.8b+dfsg-2 from Debian and backport security fixes to 12.04 LTS
Ok, so I aligned the comments in the changelog slightly. Take 2 of the debdiff. (I will delete the first one if Launchpad allows). ** Patch added: "debdiff for against cacti_0.8.7i-2ubuntu1" https://bugs.launchpad.net/ubuntu/+source/cacti/+bug/1210822/+attachment/3774094/+files/cacti_0.8.7i-2ubuntu1_to_0.8.7i-2ubuntu1.1_take2.debdiff ** Patch removed: "debdiff for against cacti_0.8.7i-2ubuntu1" https://bugs.launchpad.net/ubuntu/+source/cacti/+bug/1210822/+attachment/3767495/+files/cacti_0.8.7i-2ubuntu1_to_0.8.7i-2ubuntu1.1.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1210822 Title: Please import 0.8.8b+dfsg-2 from Debian and backport security fixes to 12.04 LTS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cacti/+bug/1210822/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1210822] Re: Please import 0.8.8b+dfsg-2 from Debian and backport security fixes to 12.04 LTS
I get a clean cacti_0.8.7i-2ubuntu1.1_all.deb via 'debuild -b -uc -us' on an up to date precise VM with this debdiff applied, though lintian is mildly displeased with your changelog.Debian addition... Now running lintian... W: cacti: debian-changelog-line-too-long line 4 W: cacti: debian-changelog-line-too-long line 6 N: 1 tag overridden (1 warning) Finished running lintian. Upgraded our server with it and seems not broken, but we don't use any authenticated/admin functions so YMMV. ** Changed in: cacti (Ubuntu) Status: Triaged => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1210822 Title: Please import 0.8.8b+dfsg-2 from Debian and backport security fixes to 12.04 LTS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cacti/+bug/1210822/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1210822] Re: Please import 0.8.8b+dfsg-2 from Debian and backport security fixes to 12.04 LTS
** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1210822 Title: Please import 0.8.8b+dfsg-2 from Debian and backport security fixes to 12.04 LTS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cacti/+bug/1210822/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1210822] Re: Please import 0.8.8b+dfsg-2 from Debian and backport security fixes to 12.04 LTS
I have created a debdiff for this issue. The patch applies cleanly, but as I don't have precise myself anymore I have not build and tested the package (yet). I would appreciate if somebody else would do that and assign the ubuntu-security-sponsors: https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue if successful. @ comment #2: "the risk is very high" should of course have been "the risk is not very high" ** Patch added: "debdiff for against cacti_0.8.7i-2ubuntu1" https://bugs.launchpad.net/ubuntu/+source/cacti/+bug/1210822/+attachment/3767495/+files/cacti_0.8.7i-2ubuntu1_to_0.8.7i-2ubuntu1.1.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1210822 Title: Please import 0.8.8b+dfsg-2 from Debian and backport security fixes to 12.04 LTS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cacti/+bug/1210822/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1210822] Re: Please import 0.8.8b+dfsg-2 from Debian and backport security fixes to 12.04 LTS
Oops, the bug was against 12.04, not saucy. Reopened. Once I fixed the Debian (old) stable packages, I will look into Ubuntu packages. Just for the record, to abuse these CVE, the user needs cacti administrator rights, so the risk is very high. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1210822 Title: Please import 0.8.8b+dfsg-2 from Debian and backport security fixes to 12.04 LTS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cacti/+bug/1210822/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1210822] Re: Please import 0.8.8b+dfsg-2 from Debian and backport security fixes to 12.04 LTS
This bug was fixed in the package cacti - 0.8.8b+dfsg-2 --- cacti (0.8.8b+dfsg-2) unstable; urgency=low * CVE-2013-1435 fix cause a regression in the handling of empty COMMENT lines in the rrd legend. Fixed by upstream: fix_COMMENT_in_graph_regression_from_CVE-2013-1435.patch (Closes: #719156) * Update jquery stylesheet to provide the cacti background color -- Paul Gevers Fri, 09 Aug 2013 22:34:26 +0200 cacti (0.8.8b+dfsg-1) unstable; urgency=low * New upstream release - Fixes SQL or command line injection via snmp settings or graph creation or edition that allows privileged users to execute arbitrary SQL commands or command line commands. CVE-2013-1434 and CVE-2013-1435 - poller_cache_rebuild_on_install.patch included * Add d/rules get-orig-source target and accompanying script * Update japanese translation, thank victory (Closes: #717203) * Update vcs-* fields (thanks lintian) * Update standards (no changes needed) * Update years and my address in d/copyright * Allow any php5 SAPI provider to satify cacti dependency, thanks Ondřej Surý (php5 maintainer). Thus reverting the solution to bug #654843 as the original report was not a bug but a reporter mistake. libapache2-mod-fcgid does not provide php5 SAPI. -- Paul Gevers Wed, 07 Aug 2013 20:46:58 +0200 ** Changed in: cacti (Ubuntu) Status: New => Fix Released ** Changed in: cacti (Ubuntu) Status: Fix Released => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1210822 Title: Please import 0.8.8b+dfsg-2 from Debian and backport security fixes to 12.04 LTS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cacti/+bug/1210822/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
