| Summary: | cacti new security issues CVE-2015-8369, CVE-2015-8377, and CVE-2015-8604 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, lewyssmith, sysadmin-bugs, tarazed25 |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/668315/ | ||
| Whiteboard: | has_procedure MGA5-64-OK advisory | ||
| Source RPM: | cacti-0.8.8f-1.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2015-12-17 17:24:47 CET
mga5 x86_64 Mate Installed the patched version of cacti having already created the cacti database. Note that in the pre-update case I was unable to login as the newly created user. Imported the default cacti database using mysql and added a user with password. Checked config.php to make sure the user and password had been written correctly. Modified /etc/crontab as suggested in the installation and test procedure linked in bug #13930 then logged in as admin in a browser to change the admin password. Logged out and tried to log in as the user and failed. Had to back out and login as admin to define graphs for the Linux machine device, statistics for the hard disk partitions. Not expecting much because it looks like I messed this up somehow. Waiting anyway on a half hour update. CC:
(none) =>
tarazed25 Have read the instructions and tried again to create a cacti user and failed. I cannot log in as the user. This is the procedure I followed (with some elision); As root, created the symbolic link /log in /usr/share/cacti pointing to /var/log/cacti Not sure if that should be /var/log/cacti/cacti.log There is such a file. $ mysql cacti < /usr/share/cacti/sql/cacti.sql ERROR 1050 (42S01) at line 5: Table 'cdef' already exists $ mysql --user=root mysql > GRANT ALL ON cacti.* TO lcl@localhost IDENTIFIED BY 'anyoldpassword'; > flush privileges; > exit; $ cd /usr/share/cacti $ su ...... # chown -R lcl rra/ log/ # vi include/config.php ..... # cat include/config.php ...... $database_type = "mysql"; $database_default = "cacti"; $database_hostname = "localhost"; $database_username = "lcl"; $database_password = "anyoldpassword"; $database_port = "3306"; $database_ssl = false; /* Edit this to point to the default URL of your Cacti install ex: if your cacti install as at http://serverip/cacti/ this would be set to /cacti/ */ $url_path = "/cacti/"; /* Default session name - Session name must contain alpha characters */ $cacti_session_name = "Cacti"; $config["library_path"] = '/usr/share/cacti/lib'; $config["rra_path"] = '/var/lib/cacti'; $config['url_path'] = '/cacti/'; ..... # exit The ownership of /var/lib/cacti and /var/log/cacti is lcl:apache This is a bit of a puzzle. What more is needed? Debian-LTS has issued an advisory on December 26: http://lwn.net/Alerts/669382/ It fixes one additional issue, CVE-2015-8377: http://lwn.net/Vulnerabilities/669404/ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807599 http://bugs.cacti.net/view.php?id=2646 but according to comments in the Debian bug above, the fix caused a regression. Summary:
cacti new security issue CVE-2015-8369 =>
cacti new security issues CVE-2015-8369 and CVE-2015-8377 Debian-LTS issued two additional advisories with regression fixes, so I'll need to pull the patches from the latest squeeze update: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807599 And there's a new issue, CVE-2015-8604, with no patch yet: http://openwall.com/lists/oss-security/2016/01/04/9 Debian-LTS has issued an advisory today (January 14): http://lwn.net/Alerts/671883/ It fixes one additional issue, CVE-2015-8604: http://lwn.net/Vulnerabilities/671906/ Summary:
cacti new security issues CVE-2015-8369 and CVE-2015-8377 =>
cacti new security issues CVE-2015-8369, CVE-2015-8377, and CVE-2015-8604 Patched packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated cacti package fixes security vulnerability: Several SQL injection vulnerabilities have been discovered in Cacti. Specially crafted input can be used by an attacker in the rra_id value of the graph.php script to execute arbitrary SQL commands on the database (CVE-2015-8369). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8369 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8377 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8604 https://www.debian.org/security/2015/dsa-3423 http://lwn.net/Alerts/669382/ http://lwn.net/Alerts/671883/ ======================== Updated packages in core/updates_testing: ======================== cacti-0.8.8f-1.2.mga5 from cacti-0.8.8f-1.2.mga5.src.rpm Whiteboard:
has_procedure feedback =>
has_procedure Testing M5 x64 OK Updated existing installation to: cacti-0.8.8f-1.2.mga5 http://localhost/cacti just worked as previously. Nothing untoward noticed. Trying something new: add a user from the console/user admin. This in itself went fine, and that user could log in. But despite having ticked all the boxes that seemed relevant for the user to view existing graphs, nothing was available to him. The Graphs tab stopped at the word 'Tree'. This has nothing to do with the update, just my ignorance of Cacti... CC:
(none) =>
lewyssmith
Dave Hodgins
2016-01-20 00:17:41 CET
Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0025.html Status:
NEW =>
RESOLVED |