|
|
Subscribe / Log in / New account

Arch Linux alert ASA-201602-24 (cacti)

From:  Christian Rebischke <Chris.Rebischke@archlinux.org>
To:  arch-security@archlinux.org
Subject:  [arch-security] [ASA-201602-24] cacti: sql injection
Date:  Sun, 28 Feb 2016 03:04:58 +0100
Message-ID:  <20160228020458.GA15216@motoko>

Arch Linux Security Advisory ASA-201602-24 ========================================== Severity: High Date : 2016-02-28 CVE-ID : CVE-2015-8604 CVE-2015-8377 CVE-2015-8369 Package : cacti Type : sql injection Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package cacti before version 0.8.8_g-2 is vulnerable to sql injection. Resolution ========== Upgrade to 0.8.8_g-2. # pacman -Syu "cacti>=0.8.8_g-2" The problem has been fixed upstream in version 0.8.8_g. Workaround ========== None. Description =========== - CVE-2015-8604 (sql injection) SQL injection in graphs_new.php. - CVE-2015-8377 (sql injection) SQL injection vulnerability in the host_new_graphs_save function in graphs_new.php. - CVE-2015-8369 (sql injection) SQL injection in graph.php. Impact ====== A remote attacker is able to get access to the cacti database. References ========== http://www.openwall.com/lists/oss-security/2016/01/04/8 https://bugs.mageia.org/show_bug.cgi?id=17352 http://www.cacti.net/release_notes_0_8_8g.php


to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds