Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <200905181716.54127.rbu@gentoo.org>
Date: Mon, 18 May 2009 17:16:50 +0200
From: Robert Buchholz <rbu@...too.org>
To: oss-security@...ts.openwall.com
Cc: Henri Salo <henri@...v.fi>,
 coley@...us.mitre.org
Subject: Re: CVE Request for cacti

Hi Henri,

On Friday 15 May 2009, Henri Salo wrote:
> I would like to obtain CVE identifier for security bug[1] in
> cacti[2]. I beleive this version of cacti is still used in some
> servers[3][4].
>
> 1: http://bugs.cacti.net/view.php?id=1245

The resolution indicates the bug had already been fixed at the time the 
bug was reported, thus implying it was a duplicate report of 
CVE-2008-0783. The CVE-2008-0783 patch [1] explicitly validates 
the 'action' variable as mentioned in the bug report.

However, the original poster reported the 0.8.6i-3.4 Debian revision as 
vulnerable and according to DSA 1569-2 [2], it should not have been.

Do you have any indication this is not covered by CVE-2008-0783?


Robert

[1] 
http://www.cacti.net/downloads/patches/0.8.7a/multiple_vulnerabilities-0.8.7a.patch
[2] http://lists.debian.org/debian-security-announce/2008/msg00144.html


Download attachment "signature.asc " of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.