[Bug 599892] Re: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092
Thank you for reporting this bug and helping to make Ubuntu better. The package referred to in this bug is in universe or multiverse and reported against a release of Ubuntu (hardy) which no longer receives updates outside of the explicitly supported LTS packages. While the bug against hardy is being marked Won't Fix for now, if you are interested feel free to post a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures' Please feel free to report any other bugs you may find. ** Changed in: cacti (Ubuntu Karmic) Status: Incomplete = Won't Fix ** Changed in: cacti (Ubuntu Hardy) Status: Incomplete = Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/599892 Title: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cacti/+bug/599892/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 599892] Re: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092
This bug was fixed in the package cacti - 0.8.7e-2ubuntu0.1 --- cacti (0.8.7e-2ubuntu0.1) lucid-security; urgency=low * SECURITY UPDATE: Fix SQL injection vulnerability in templates_export.php (LP: #599892) - debian/patches/CVE-2010-1431.patch: patch derived from upstream patch - CVE-2010-1431 * SECURITY UPDATE: Fix cross-site scripting (XSS) vulnerabilities - debian/patches/CVE-2010-1644.patch: patch derived from upstream patch - CVE-2010-1644 * SECURITY UPDATE: Fix arbitrary command execution vuln - debian/patches/CVE-2010-1645.patch: patch derived from upstream patches - CVE-2010-1645 * SECURITY UPDATE: Fix a SQL injection vulnerability in graph.php - debian/patches/CVE-2010-2092.patch: patch derived from Debian patch - CVE-2010-2092 - DSA-2060 * SECURITY UPDATE: Fix cross-site scripting (XSS) vulnerabilities - debian/patches/CVE-2010-2543.patch: patch derived from upstream patches - CVE-2010-2543 - CVE-2010-2544 - CVE-2010-2545 -- Brian Thomason brian.thoma...@canonical.com Mon, 24 Jan 2011 11:20:13 -0500 ** Changed in: cacti (Ubuntu Lucid) Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. https://bugs.launchpad.net/bugs/599892 Title: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 599892] Re: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092
Copied to lucid-security, too. -- You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. https://bugs.launchpad.net/bugs/599892 Title: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 599892] Re: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092
Unsubscribing ubuntu-security-sponsors. Please resubscribe if providing another debdiff for review. -- You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. https://bugs.launchpad.net/bugs/599892 Title: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 599892] Re: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092
I tested this package pretty thoroughly before submitting the debdiff. I installed it, added graphs, and verified that all the scripts that were modified could be used successfully. I'm sure you want a second pair of eyes on it though. -- You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. https://bugs.launchpad.net/bugs/599892 Title: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 599892] Re: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092
** Tags added: verification-done ** Tags removed: verification-needed -- You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. https://bugs.launchpad.net/bugs/599892 Title: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 599892] Re: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092
** Changed in: cacti (Ubuntu Lucid) Status: In Progress = Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. https://bugs.launchpad.net/bugs/599892 Title: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 599892] Re: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092
** Branch linked: lp:ubuntu/lucid-proposed/cacti -- You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. https://bugs.launchpad.net/bugs/599892 Title: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 599892] Re: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092
Pocket copied cacti to proposed. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Thank you in advance! ** Tags added: verification-needed ** Tags removed: security-verification -- You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. https://bugs.launchpad.net/bugs/599892 Title: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 599892] Re: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092
To ubuntu-sru: if this passes the verification process, please also pocket copy to security. Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. https://bugs.launchpad.net/bugs/599892 Title: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 599892] Re: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092
ACK for lucid, though I updated the version to be -2ubuntu0.1 instead of -2.1, following the versioning guide at https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation I'll upload this to security-proposed shortly. Thanks! ** Tags added: security-verification ** Changed in: cacti (Ubuntu Lucid) Status: New = In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. https://bugs.launchpad.net/bugs/599892 Title: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 599892] Re: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092
** Changed in: cacti (Ubuntu) Status: New = Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. https://bugs.launchpad.net/bugs/599892 Title: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 599892] Re: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092
** Changed in: cacti (Ubuntu Lucid) Status: Incomplete = New -- You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. https://bugs.launchpad.net/bugs/599892 Title: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 599892] Re: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092
** Patch removed: Lucid debdiff https://bugs.launchpad.net/ubuntu/+source/cacti/+bug/599892/+attachment/1805141/+files/cacti_0.8.7e-2.1.debdiff ** Patch added: Updated Lucid debdiff https://bugs.launchpad.net/ubuntu/+source/cacti/+bug/599892/+attachment/1822967/+files/cacti_0.8.7e-2.1.updated.debdiff ** Changed in: cacti (Ubuntu) Status: Invalid = New -- You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. https://bugs.launchpad.net/bugs/599892 Title: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 599892] Re: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092
Sorry about that major oversight. The lucid debdiff should be complete now. -- You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. https://bugs.launchpad.net/bugs/599892 Title: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 599892] Re: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092
Jaunty is EOL. ** Changed in: cacti (Ubuntu Jaunty) Status: Incomplete = Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. https://bugs.launchpad.net/bugs/599892 Title: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 599892] Re: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092
Thanks for the debdiff Brian. There seems to be parts missing from the 2010-254* patch...AFAICT, the upstream commits are: http://svn.cacti.net/viewvc?view=revrevision=6025 http://svn.cacti.net/viewvc?view=revrevision=6037 http://svn.cacti.net/viewvc?view=revrevision=6038 http://svn.cacti.net/viewvc?view=revrevision=6041 http://svn.cacti.net/viewvc?view=revrevision=6042 Could you check, and update the patch if necessary? Also, you should add Origin tags to your patches in the future so they are easier to retrace to the upstream commits, for example: Origin: upstream, http://svn.cacti.net/viewvc?view=revrevision=6025 or Origin: backport, http://svn.cacti.net/viewvc?view=revrevision=6025 I'm unsubscribing ubuntu-security-sponsors for now. Please re-subscribe ubuntu-security-sponsors when you update debdiff, and set the status to NEW. Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. https://bugs.launchpad.net/bugs/599892 Title: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 599892] Re: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092
2009-4032 - Already patched 2009-4112 - Affected but of low importance; upstream has not provided a patch 2010-1431 - Patched 2010-1644 - Patched 2010-1645 - Patched 2010-2092 - Patched 2010-2543,2544,2545 - Patched ** Patch added: Lucid debdiff https://bugs.launchpad.net/ubuntu/+source/cacti/+bug/599892/+attachment/1805141/+files/cacti_0.8.7e-2.1.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. https://bugs.launchpad.net/bugs/599892 Title: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 599892] Re: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092
CVE-2009-4032, CVE-2010-1644, CVE-2010-1645, CVE-2010-2543, CVE-2010-2544, and CVE-2010-2545 are all fixed in 0.8.7g-1. ** Changed in: cacti (Ubuntu Maverick) Assignee: Brian Thomason (brian-thomason) = Jamie Strandboge (jdstrand) ** Changed in: cacti (Ubuntu Maverick) Status: Incomplete = Confirmed -- [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092 https://bugs.launchpad.net/bugs/599892 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 599892] Re: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092
I am going to close the maverick task since I created a sync request for it in https://bugs.edge.launchpad.net/ubuntu/+source/cacti/+bug/646909. ** Changed in: cacti (Ubuntu Maverick) Status: Confirmed = Invalid ** Changed in: cacti (Ubuntu Maverick) Assignee: Jamie Strandboge (jdstrand) = (unassigned) -- [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092 https://bugs.launchpad.net/bugs/599892 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 599892] Re: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092
** Tags added: jaunty karmic lucid maverick -- [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092 https://bugs.launchpad.net/bugs/599892 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 599892] Re: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092
Unsubscribing ubuntu-security-sponsors since the debdiff is incomplete. ** Changed in: cacti (Ubuntu Lucid) Status: Confirmed = Incomplete ** Changed in: cacti (Ubuntu Lucid) Assignee: (unassigned) = Brian Thomason (brian-thomason) ** Changed in: cacti (Ubuntu Hardy) Status: Confirmed = Incomplete ** Changed in: cacti (Ubuntu Hardy) Assignee: (unassigned) = Brian Thomason (brian-thomason) ** Changed in: cacti (Ubuntu Jaunty) Status: Confirmed = Incomplete ** Changed in: cacti (Ubuntu Jaunty) Assignee: (unassigned) = Brian Thomason (brian-thomason) ** Changed in: cacti (Ubuntu Karmic) Status: Confirmed = Incomplete ** Changed in: cacti (Ubuntu Karmic) Assignee: (unassigned) = Brian Thomason (brian-thomason) ** Also affects: cacti (Ubuntu Maverick) Importance: Medium Assignee: Brian Thomason (brian-thomason) Status: Confirmed -- [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092 https://bugs.launchpad.net/bugs/599892 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 599892] Re: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092
Please resubscribe ubuntu-security-sponsors and set the status to 'NEW' when the changes are complete. Thanks! -- [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092 https://bugs.launchpad.net/bugs/599892 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 599892] Re: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092
Maverick is affected by CVE-2009-4032 for sure, and CVE-2009-4112 needs to be investigated. ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2009-4112 ** Changed in: cacti (Ubuntu Maverick) Status: Confirmed = Incomplete -- [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092 https://bugs.launchpad.net/bugs/599892 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 599892] Re: [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092
There are more security issues in cacti that need fixing: cacti 0.8.7g fixes CVE-2010-2543, CVE-2010-2544, CVE-2010-2545 cacti 0.8.7f fixes CVE-2010-1644, CVE-2010-1645, CVE-2010-2092, CVE-2010-1431 ** Visibility changed to: Public ** Changed in: cacti (Ubuntu) Status: New = Confirmed ** Changed in: cacti (Ubuntu) Importance: Undecided = Medium ** Also affects: cacti (Ubuntu Hardy) Importance: Undecided Status: New ** Also affects: cacti (Ubuntu Jaunty) Importance: Undecided Status: New ** Also affects: cacti (Ubuntu Lucid) Importance: Undecided Status: New ** Also affects: cacti (Ubuntu Karmic) Importance: Undecided Status: New ** Changed in: cacti (Ubuntu Hardy) Status: New = Confirmed ** Changed in: cacti (Ubuntu Lucid) Status: New = Confirmed ** Changed in: cacti (Ubuntu Jaunty) Status: New = Confirmed ** Changed in: cacti (Ubuntu Karmic) Status: New = Confirmed ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2010-1644 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2010-1645 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2010-2543 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2010-2544 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2010-2545 -- [Security] cacti - CVE-2009-4032, CVE-2010-1431, and CVE-2010-2092 https://bugs.launchpad.net/bugs/599892 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs