| Summary: | cacti new security issues CVE-2017-10970, CVE-2017-11163, CVE-2017-11691, and CVE-2017-1206[56] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | mageia, sysadmin-bugs |
| Version: | 6 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | has_procedure advisory mga6-64-ok | ||
| Source RPM: | cacti-1.0.4-1.mga6.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 20211 | ||
|
Description
David Walser
2017-07-14 22:20:23 CEST
David Walser
2017-07-14 22:20:30 CEST
Whiteboard:
(none) =>
MGA6TOO Also fixed in 1.1.13: https://www.cacti.net/release_notes.php?version=1.1.13 1.1.14 fixes an XSS issue as well: https://www.cacti.net/release_notes.php?version=1.1.14 It has been assigned CVE-2017-11691: http://openwall.com/lists/oss-security/2017/07/27/1 The upstream commit to fix that issue is linked in the message above. Summary:
cacti new security issue CVE-2017-10970 =>
cacti new security issues CVE-2017-10970 and CVE-2017-11691 1.1.16 has been released on July 29: https://www.cacti.net/release_notes.php?version=1.1.16 Apparently it fixes CVE-2017-12065 and CVE-2017-12066. Fedora has issued an advisory for this on August 7: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QN75M6HGIKEEX7HYFWHIO6IYDB5RXFP6/ Summary:
cacti new security issues CVE-2017-10970 and CVE-2017-11691 =>
cacti new security issues CVE-2017-10970, CVE-2017-11691, and CVE-2017-1206[56] Apparently 1.1.13 also fixed CVE-2017-11163. openSUSE has issued an advisory for this today (August 8): https://lists.opensuse.org/opensuse-updates/2017-08/msg00018.html Summary:
cacti new security issues CVE-2017-10970, CVE-2017-11691, and CVE-2017-1206[56] =>
cacti new security issues CVE-2017-10970, CVE-2017-11163, CVE-2017-11691, and CVE-2017-1206[56] fixed on cauldron Version:
Cauldron =>
6 Pushed in updates_testing for mageia6
src.rpm:
cacti-1.1.16-1.mga6Assignee:
luis.daniel.lucio =>
qa-bugs Procedure in bug 13930. Mageia 5 also needs to be updated. That can be handled in Bug 20211. Advisory: ======================== Updated cacti package fixes security vulnerabilities: Cross-site scripting (XSS) vulnerability in link.php in Cacti 1.1.12 allows remote anonymous users to inject arbitrary web script or HTML via the id parameter, related to the die_html_input_error function in lib/html_validate.php (CVE-2017-10970). Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti 1.1.12 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable (CVE-2017-11163). A Cross-site scripting vulnerability exists in cacti before 1.1.14 in the user profile managment page (auth_profile.php), allowing inject arbitrary web script or HTML via specially crafted HTTP Referer headers (CVE-2017-11691). spikekill.php in Cacti before 1.1.16 might allow remote attackers to execute arbitrary code via the avgnan, outlier-start, or outlier-end parameter (CVE-2017-12065). Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti before 1.1.16 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable (CVE-2017-12066). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10970 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11163 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11691 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12065 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12066 https://www.cacti.net/changelog.php https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7MRJCGVNDLW7RCTYSL72XGP74PCMOIH2/ http://openwall.com/lists/oss-security/2017/07/27/1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QN75M6HGIKEEX7HYFWHIO6IYDB5RXFP6/ https://lists.opensuse.org/opensuse-updates/2017-08/msg00018.html ======================== Updated packages in core/updates_testing: ======================== cacti-1.1.16-1.mga6 from cacti-1.1.16-1.mga6.src.rpm Whiteboard:
(none) =>
has_procedure pushed in mga5 too
Lewis Smith
2017-08-13 10:26:14 CEST
Whiteboard:
has_procedure =>
has_procedure advisory Testing complete mga6 64 & validating Bit of a pain to test. It requires tzdata installing in mysql and 'privileges granting to it for cacti. See.. https://github.com/Cacti/cacti/issues/361 Also password restrictions exist on the mysql user for cacti and cacti admin user after install, forcing complex passwords. Cacti reports one requirement at a time making you jump through hoops but it basically needs to be 8 characters with a mix of caps/non caps and one special character. Appears to work ok, was able to produce empty graphs so didn't leave it running. CC:
(none) =>
sysadmin-bugs Also requires more or less.. chown -R apache:apache /usr/share/cacti ..during installation Oh, and a number in the password. (In reply to claire robinson from comment #10) > Also requires more or less.. > chown -R apache:apache /usr/share/cacti > > ..during installation Sounds like something that should be fixed in the package. Something like: -%{_datadir}/%{name} +%attr(-,apache,apache) %{_datadir}/%{name} Yeah, i'll create a bug for it. This was from the release version, presumably similar in this update though. /usr/share/cacti/* may be too much so will need to be checked more thoroughly by someone who knows it. An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0267.html Resolution:
(none) =>
FIXED |