From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 24BBC138247 for ; Tue, 21 Jan 2014 19:33:13 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 36713E10C2; Tue, 21 Jan 2014 19:29:46 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 9F2DCE1094 for ; Tue, 21 Jan 2014 19:29:22 +0000 (UTC) Received: from [192.168.0.194] (pool-72-95-30-31.hrbgpa.fios.verizon.net [72.95.30.31]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: ackle) by smtp.gentoo.org (Postfix) with ESMTPSA id 1323133FA96 for ; Tue, 21 Jan 2014 19:29:20 +0000 (UTC) Message-ID: <52DECA47.1080303@gentoo.org> Date: Tue, 21 Jan 2014 14:28:07 -0500 From: Sean Amoss User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-announce@lists.gentoo.org MIME-Version: 1.0 To: gentoo-announce@gentoo.org Subject: [gentoo-announce] [ GLSA 201401-20 ] Cacti: Multiple vulnerabilities X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="xcjjgRvoW3eNFBC2snWBaOSrJD5WiXS5B" X-Archives-Salt: a3228004-d47f-4c13-8378-33ad935d3b8a X-Archives-Hash: 0c3b671b370b966a87b52a7c438566e0 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --xcjjgRvoW3eNFBC2snWBaOSrJD5WiXS5B Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201401-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Cacti: Multiple vulnerabilities Date: January 21, 2014 Bugs: #324031, #480196 ID: 201401-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis =3D=3D=3D=3D=3D=3D=3D=3D Multiple vulnerabilities have been found in Cacti, allowing attackers to execute arbitrary code or perform XSS attacks. Background =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Cacti is a complete network graphing solution designed to harness the power of RRDTool's data storage and graphing functionality. Affected packages =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-analyzer/cacti < 0.8.8b >=3D 0.8.8b Description =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Multiple vulnerabilities have been discovered in Cacti. Please review the CVE identifiers referenced below for details. Impact =3D=3D=3D=3D=3D=3D A remote attacker could execute arbitrary SQL commands via specially crafted parameters, execute arbitrary shell code or inject malicious script code. Workaround =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D There is no known workaround at this time. Resolution =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D All Cacti users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=3Dnet-analyzer/cacti-0.8.8b" References =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D [ 1 ] CVE-2010-1644 http://web.nvd.nist.gov/view/vuln/detail?vulnId=3DCVE-2010-1644 [ 2 ] CVE-2010-1645 http://web.nvd.nist.gov/view/vuln/detail?vulnId=3DCVE-2010-1645 [ 3 ] CVE-2010-2092 http://web.nvd.nist.gov/view/vuln/detail?vulnId=3DCVE-2010-2092 [ 4 ] CVE-2010-2543 http://web.nvd.nist.gov/view/vuln/detail?vulnId=3DCVE-2010-2543 [ 5 ] CVE-2010-2544 http://web.nvd.nist.gov/view/vuln/detail?vulnId=3DCVE-2010-2544 [ 6 ] CVE-2010-2545 http://web.nvd.nist.gov/view/vuln/detail?vulnId=3DCVE-2010-2545 [ 7 ] CVE-2013-1434 http://nvd.nist.gov/nvd.cfm?cvename=3DCVE-2013-1434 [ 8 ] CVE-2013-1435 http://nvd.nist.gov/nvd.cfm?cvename=3DCVE-2013-1435 Availability =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201401-20.xml Concerns? =3D=3D=3D=3D=3D=3D=3D=3D=3D Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License =3D=3D=3D=3D=3D=3D=3D Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 --xcjjgRvoW3eNFBC2snWBaOSrJD5WiXS5B Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlLeykcACgkQAnl3SfnYR/gphgD/XBJ8t+x5jenKdSZK7QKOZyiV wjRazORxOoClKgzFcmwA/iMtXhik7SUNMMmG20+wgkb14W6VnRWpxP4KaYQnMP0z =+7cB -----END PGP SIGNATURE----- --xcjjgRvoW3eNFBC2snWBaOSrJD5WiXS5B--