From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 853C3139083 for ; Sat, 11 Nov 2017 19:59:35 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 40342E118A; Sat, 11 Nov 2017 19:58:57 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id C6BE7E117D for ; Sat, 11 Nov 2017 19:58:33 +0000 (UTC) Received: from localhost.localdomain (pool-108-48-108-145.washdc.fios.verizon.net [108.48.108.145]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: bman) by smtp.gentoo.org (Postfix) with ESMTPSA id DB04433D3CE for ; Sat, 11 Nov 2017 19:58:32 +0000 (UTC) From: Aaron Bauman To: gentoo-announce@lists.gentoo.org Reply-To: security@gentoo.org Subject: [gentoo-announce] [ GLSA 201711-10 ] Cacti: Multiple vulnerabilities Date: Sat, 11 Nov 2017 14:58:30 -0500 Message-ID: <7934804.cRa9DbJa77@localhost.localdomain> Organization: Gentoo Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-announce@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1582332.crejXxeEIr"; micalg="pgp-sha256"; protocol="application/pgp-signature" X-Archives-Salt: 6b702f1c-47c6-4a14-ab0e-9a119245b331 X-Archives-Hash: ad12e29a7d897112f87349cc1f36dc3a --nextPart1582332.crejXxeEIr Content-Type: multipart/alternative; boundary="nextPart2118800.23Y2FyVMcu" Content-Transfer-Encoding: 7Bit This is a multi-part message in MIME format. --nextPart2118800.23Y2FyVMcu Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201711-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Cacti: Multiple vulnerabilities Date: November 11, 2017 Bugs: #607732, #626828 ID: 201711-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Cacti, the worst of which could lead to the remote execution of arbitrary code. Background ========== Cacti is a complete frontend to rrdtool. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-analyzer/cacti < 1.1.20:1.1.20 >= 1.1.20:1.1.20 Description =========== Multiple vulnerabilities have been discovered in Cacti. Please review the CVE identifiers referenced below for details. Impact ====== Remote attackers could execute arbitrary code or bypass intended access restrictions. Workaround ========== There is no known workaround at this time. Resolution ========== All Cacti users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=net-analyzer/cacti-1.1.20:1.1.20" References ========== [ 1 ] CVE-2014-4000 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4000 [ 2 ] CVE-2016-2313 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2313 [ 3 ] CVE-2017-12065 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12065 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201711-10 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. --nextPart2118800.23Y2FyVMcu Content-Transfer-Encoding: 7Bit Content-Type: text/html; charset="us-ascii"

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Gentoo Linux Security Advisory GLSA 201711-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

https://security.gentoo.org/

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

Severity: Normal

Title: Cacti: Multiple vulnerabilities

Date: November 11, 2017

Bugs: #607732, #626828

ID: 201711-10

 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

Synopsis

========

 

Multiple vulnerabilities have been found in Cacti, the worst of which

could lead to the remote execution of arbitrary code.

 

Background

==========

 

Cacti is a complete frontend to rrdtool.

 

Affected packages

=================

 

-------------------------------------------------------------------

Package / Vulnerable / Unaffected

-------------------------------------------------------------------

1 net-analyzer/cacti < 1.1.20:1.1.20 >= 1.1.20:1.1.20

 

Description

===========

 

Multiple vulnerabilities have been discovered in Cacti. Please review

the CVE identifiers referenced below for details.

 

Impact

======

 

Remote attackers could execute arbitrary code or bypass intended access

restrictions.

 

Workaround

==========

 

There is no known workaround at this time.

 

Resolution

==========

 

All Cacti users should upgrade to the latest version:

 

# emerge --sync

# emerge --ask --oneshot -v ">=net-analyzer/cacti-1.1.20:1.1.20"

 

References

==========

 

[ 1 ] CVE-2014-4000

https://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4000

[ 2 ] CVE-2016-2313

https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2313

[ 3 ] CVE-2017-12065

https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12065

 

Availability

============

 

This GLSA and any updates to it are available for viewing at

the Gentoo Security Website:

 

https://security.gentoo.org/glsa/201711-10

 

Concerns?

=========

 

Security is a primary focus of Gentoo Linux and ensuring the

confidentiality and security of our users' machines is of utmost

importance to us. Any security concerns should be addressed to

security@gentoo.org or alternatively, you may file a bug at

https://bugs.gentoo.org.

 

License

=======

 

Copyright 2017 Gentoo Foundation, Inc; referenced text

belongs to its owner(s).

 

The contents of this document are licensed under the

Creative Commons - Attribution / Share Alike license.

 

http://creativecommons.org/licenses/by-sa/2.5

--nextPart2118800.23Y2FyVMcu-- --nextPart1582332.crejXxeEIr Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEEiDRK3jyVBE/RkymqpRQw84X1dt0FAloHVmYACgkQpRQw84X1 dt2J3ggAmctqAi6aOIMDpduGitapdNujT++vGbGagGyW6Hmx1uMLBscDhrB4BTsF 8UKRa1ytZ92+YhYUOBaWdi7YJw41goQEoSpeVT5cr5tJj6zTHL+ESnNZYHKyq9KW usbXlCjNFl2/JaOtOhSnrDXo+ES3jarMVE9Ll/gIiHnxH39mp1mQEGGsAJGKRh3h VGXukTxJa64fQt2eLauhzP0/5G5OZK6qA3H67ymaK5Ze5Ykzcihsho9mnrv+j90o iQH8zmoXfmpMuWsKUQI0CDc8a4Tr0w1W7OKS7E+8g73AsE4SdyQt3RgpgbgH3klu wkr+q5CWUj8bJbYvC9DyDxBVwPHmSA== =Yyvr -----END PGP SIGNATURE----- --nextPart1582332.crejXxeEIr--