Bug 13626

Summary: cacti several new security issues (XSS, CSRF, possibly others)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: dpremy, mageia, rverschelde, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/595278/
Whiteboard: has_procedure mga4-64-ok mga4-32-ok advisory
Source RPM: cacti-0.8.8b-3.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-06-30 23:11:22 CEST 
Fedora has issued an advisory on April 8:
https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131842.html

Looks like we missed this one before.  I'm not sure if the CVE-2014-270[89] issues are the same as were previously fixed in Bug 10951.  They sound similar, but Bug 10951 made it sound like they were fixed in 0.8.8b, but Fedora apparently added additional patches on top of that version.

Debian has issued an advisory for this on June 29:
https://www.debian.org/security/2014/dsa-2970

It lists an additional CVE, CVE-2014-4002.

Mageia 4 is also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-06-30 23:11:31 CEST

Whiteboard: (none) => MGA4TOO

Comment 1 David Walser 2014-07-08 18:26:51 CEST 
LWN reference for CVE-2014-4002:
http://lwn.net/Vulnerabilities/604682/
Comment 2 Oden Eriksson 2014-07-11 13:17:15 CEST 
Patches has been added in cacti-0.8.8b-4.mga5 and cacti-0.8.8b-3.1.mga4 that fixes: CVE-2014-2326, CVE-2014-2328, CVE-2014-2708, CVE-2014-2709, CVE-2014-4002
Comment 3 David Walser 2014-07-11 18:36:25 CEST 
Thanks Oden.

Advisory:
========================

Updated cacti package fixes security vulnerabilities:

Multiple security issues (cross-site scripting, cross-site request forgery,
SQL injections, missing input sanitising) have been found in Cacti
(CVE-2014-2326, CVE-2014-2328, CVE-2014-2708, CVE-2014-2709, CVE-2014-4002).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2326
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2328
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2708
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2709
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4002
https://www.debian.org/security/2014/dsa-2970
========================

Updated packages in core/updates_testing:
========================
cacti-0.8.8b-3.1.mga4

from cacti-0.8.8b-3.1.mga4.src.rpm

Version: Cauldron => 4
Assignee: oe => qa-bugs
Whiteboard: MGA4TOO => (none)

Comment 4 David Remy 2014-07-19 05:32:06 CEST 
Procedures can be found at:
http://www.cacti.net/downloads/docs/html/unix_configure_cacti.html

Once installed you can browse to http://localhost/cacti and look at the graphs, use the console to add more graphs or other devices.

CC: (none) => dpremy
Whiteboard: (none) => has_procedure

Comment 5 David Remy 2014-07-19 05:35:10 CEST 
Testing on mga4-64.

Installed cacti-0.8.8b-3.mga4 and use the default config with a few other devices added from my network.

Upgraded to cacti-0.8.8b-3.1.mga4 and all features tested worked as expected. Could not reproduce security vuln but will add ok.

Whiteboard: has_procedure => has_procedure mga4-64-ok

Comment 6 David Remy 2014-07-19 05:42:49 CEST 
Same tests done on mga4-32 as I did with mga-64 with no issues. Marking ok.

Whiteboard: has_procedure mga4-64-ok => has_procedure mga4-64-ok mga4-32-ok

Comment 7 David Walser 2014-07-24 03:03:47 CEST 
Validating now so it doesn't get missed.  The advisory still needs to be uploaded.

Sysadmins, please push this to updates for Mageia 4.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 RĂ©mi Verschelde 2014-07-26 11:39:58 CEST 
Advisory uploaded.

CC: (none) => remi
Whiteboard: has_procedure mga4-64-ok mga4-32-ok => has_procedure mga4-64-ok mga4-32-ok advisory

Comment 9 Colin Guthrie 2014-07-26 14:59:01 CEST 
Update pushed

http://advisories.mageia.org/MGASA-2014-0302.html

Status: NEW => RESOLVED
CC: (none) => mageia
Resolution: (none) => FIXED