Prev-20 Home Next-20 5 msg DSA/DSS keys and DSA 1576-1/CVE-2008-0166. 2 msg openssl/openssh fixes for lenny (testing) 2 msg openssl / x509 certs 2 msg leakage of keys? 2 msg dowkd.pl - how the blacklist data is generated ? 8 msg Re: [SECURITY] [DSA 1576-1] New openssh package... 4 msg dowkd.pl via Package 1 msg CHAO BAN 32 msg Re: [SECURITY] [DSA 1571-1] New openssl package... 4 msg Broken link on Debian CVE Web page (Was: [SECUR... 10 msg Re: [SECURITY] [DSA 1571-1] New openssl package... 3 msg Re: [SECURITY] [DSA 1575-1] New Linux 2.6.18 pa... 1 msg Mystery of Lyle & Louise is Making Headlines 1 msg Herr Bühler Arbeite nicht mehr bei der V-ZUG AG 5 msg Re: [SECURITY] [DSA 1573-1] New php5 packages f... 4 msg Re: [SECURITY] [DSA 1572-1] New php5 packages f... 3 msg Question about Security 37 msg securing server 1 msg Re: [SECURITY] [DSA 1570-1] New kazehakase pack... Re: [SECURITY] [DSA 1569-1] New cacti packages ... \ sean finney (5 May 2008) . \ Thijs Kinkhorst (6 May 2008) Prev-20 Home Next-20

Prev-Msg Prev-Thread Debian-security May-2008 Next-Thread Next-Msg Subject: Re: [SECURITY] [DSA 1569-1] New cacti packages fix multiple vulnerabilities Group: Debian-security From: sean finney Date: 5 May 2008 hi guys, as i alerted you on IRC, this update renders cacti unusable. see: #479618 and #479621 . it's pretty clear that the upload was done without any testing, and furthermore without first submitting a bug on the cacti package. tsk tsk :) sean On Monday 05 May 2008 05:58:54 pm Thijs Kinkhorst wrote: > ------------------------------------------------------------------------ > Debian Security Advisory DSA-1569-1 security > http://www.debian.org/security/ Thijs Kinkhorst > May 05, 2008 http://www.debian.org/security/faq > ------------------------------------------------------------------------ > > Package : cacti > Vulnerability : insufficient input sanitising > Problem type : remote > Debian-specific: no > CVE Id(s) : CVE-2008-0783 CVE-2008-0785 > > It was discovered that Cacti, a systems and services monitoring frontend, > performed insufficient input sanitising, leading to cross site scripting > and SQL injection being possible. > > For the stable distribution (etch), this problem has been fixed in > version 0.8.6i-3.3. > > For the unstable distribution (sid), this problem has been fixed in > version 0.8.7b-1. > > We recommend that you upgrade your cacti package. > > Upgrade instructions > -------------------- > > wget url > will fetch the file for you > dpkg -i file.deb > will install the referenced file. > > If you are using the apt-get package manager, use the line for > sources.list as given below: > > apt-get update > will update the internal database > apt-get upgrade > will install corrected packages > > You may use an automated update by adding the resources from the > footer to the proper configuration. > > > Debian GNU/Linux 4.0 alias etch > ------------------------------- > > Source archives: > > > http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6i.orig.tar. >gz Size/MD5 checksum: 1122700 341b5828d95db91f81f5fbba65411d63 > > http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6i-3.3.diff. >gz Size/MD5 checksum: 36683 4b795036336167be4bf6cd2ef2987114 > http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6i-3.3.dsc > Size/MD5 checksum: 873 74f26b805c7cf676f573000b50230179 > > Architecture independent packages: > > > http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6i-3.3_all.d >eb Size/MD5 checksum: 959394 a9d1a594ff7d2386b28296a2c8909cd5 > > > These files will probably be moved into the stable distribution on > its next update. > > --------------------------------------------------------------------------- >------ For apt-get: deb http://security.debian.org/ stable/updates main > For dpkg-ftp: ftp://security.debian.org/debian-security > dists/stable/updates/main Mailing list: > debian-security-announce > Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> Prev-Msg Prev-Thread Debian-security May-2008 Next-Thread Next-Msg

© 2004-2008 readlist.com