Arch Linux alert ASA-201602-24 (cacti)
From: | Christian Rebischke <Chris.Rebischke@archlinux.org> | |
To: | arch-security@archlinux.org | |
Subject: | [arch-security] [ASA-201602-24] cacti: sql injection | |
Date: | Sun, 28 Feb 2016 03:04:58 +0100 | |
Message-ID: | <20160228020458.GA15216@motoko> |
Arch Linux Security Advisory ASA-201602-24 ========================================== Severity: High Date : 2016-02-28 CVE-ID : CVE-2015-8604 CVE-2015-8377 CVE-2015-8369 Package : cacti Type : sql injection Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package cacti before version 0.8.8_g-2 is vulnerable to sql injection. Resolution ========== Upgrade to 0.8.8_g-2. # pacman -Syu "cacti>=0.8.8_g-2" The problem has been fixed upstream in version 0.8.8_g. Workaround ========== None. Description =========== - CVE-2015-8604 (sql injection) SQL injection in graphs_new.php. - CVE-2015-8377 (sql injection) SQL injection vulnerability in the host_new_graphs_save function in graphs_new.php. - CVE-2015-8369 (sql injection) SQL injection in graph.php. Impact ====== A remote attacker is able to get access to the cacti database. References ========== http://www.openwall.com/lists/oss-security/2016/01/04/8 https://bugs.mageia.org/show_bug.cgi?id=17352 http://www.cacti.net/release_notes_0_8_8g.php