Debian: DSA-1954-1: New cacti packages fix insufficient input sanitising

    Date16 Dec 2009
    CategoryDebian
    19
    Posted ByLinuxSecurity Advisories
    Several vulnerabilities have been found in cacti, a frontend to rrdtool for monitoring systems and services. The Common Vulnerabilities and Exposures project identifies the following problems:
    
    - ------------------------------------------------------------------------
    Debian Security Advisory DSA-1954-1                  This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                      Steffen Joeris
    December 16, 2009                     http://www.debian.org/security/faq
    - ------------------------------------------------------------------------
    
    Package        : cacti                                         
    Vulnerability  : insufficient input sanitising                 
    Problem type   : remote                                        
    Debian-specific: no                                            
    CVE Ids        : CVE-2007-3112 CVE-2007-3113 CVE-2009-4032     
    Debian Bugs    : 429224                                        
    
    Several vulnerabilities have been found in cacti, a frontend to rrdtool
    for monitoring systems and services. The Common Vulnerabilities and
    Exposures project identifies the following problems:
    
    CVE-2007-3112, CVE-2007-3113
    
    It was discovered that cacti is prone to a denial of service via the
    graph_height, graph_width, graph_start and graph_end parameters.
    This issue only affects the oldstable (etch) version of cacti.
    
    CVE-2009-4032
    
    It was discovered that cacti is prone to several cross-site scripting
    attacks via different vectors.
    
    CVE-2009-4112
    
    It has been discovered that cacti allows authenticated administrator
    users to gain access to the host system by executing arbitrary commands
    via the "Data Input Method" for the "Linux - Get Memory Usage" setting.
    
    There is no fix for this issue at this stage. Upstream will implement a
    whitelist policy to only allow certain "safe" commands. For the moment,
    we recommend that such access is only given to trusted users and that
    the options "Data Input" and "User Administration" are otherwise
    deactivated.
    
    
    For the oldstable distribution (etch), these problems have been fixed in
    version 0.8.6i-3.6.
    
    For the stable distribution (lenny), this problem has been fixed in
    version 0.8.7b-2.1+lenny1.
    
    For the testing distribution (squeeze), this problem will be fixed soon.
    
    For the unstable distribution (sid), this problem has been fixed in
    version 0.8.7e-1.1.
    
    
    We recommend that you upgrade your cacti packages.
    
    Upgrade instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 4.0 alias etch
    - -------------------------------
    
    Debian (oldstable)
    - ------------------
    
    Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6i.orig.tar.gz
        Size/MD5 checksum:  1122700 341b5828d95db91f81f5fbba65411d63
      http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6i-3.6.diff.gz
        Size/MD5 checksum:    38419 4ee9e373817ebc32297e1c3de8fee10d
      http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6i-3.6.dsc
        Size/MD5 checksum:      590 bb8fb25c6db1cd6a2a785f879943d969
    
    Architecture independent packages:
    
      http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6i-3.6_all.deb
        Size/MD5 checksum:   962816 9093e9f9abaa6c3dbbedad24cc1d4f7e
    
    
    Debian GNU/Linux 5.0 alias lenny
    - --------------------------------
    
    Debian (stable)
    - ---------------
    
    Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b.orig.tar.gz
        Size/MD5 checksum:  1972444 aa8a740a6ab88e3634b546c3e1bc502f
      http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+lenny1.diff.gz
        Size/MD5 checksum:    37232 04459452593e23c5e837920cfd0f1789
      http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+lenny1.dsc
        Size/MD5 checksum:     1117 d67349656ce9514266e7d5d2f378a219
    
    Architecture independent packages:
    
      http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+lenny1_all.deb
        Size/MD5 checksum:  1847182 3876f128fdcc2aefa63d65531875d2ab
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and http://packages.debian.org/
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"5","type":"x","order":"1","pct":55.56,"resources":[]},{"id":"88","title":"Should be more technical","votes":"3","type":"x","order":"2","pct":33.33,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"1","type":"x","order":"3","pct":11.11,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    Advisories

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.