|
|
Log in / Subscribe / Register

Debian-LTS alert DLA-560-1 (cacti)



From:
    	      Emilio Pozuelo Monfort <pochu@debian.org> 


To:
    	      debian-lts-announce@lists.debian.org 


Subject:
    	      [SECURITY] [DLA 560-1] cacti security update 


Date:
    	      Tue, 26 Jul 2016 00:36:23 +0200


Message-ID:
    	      <86d0011f-94c9-5c05-c4f6-dc53690b8671@debian.org>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : cacti
Version        : 0.8.8a+dfsg-5+deb7u9
CVE ID         : CVE-2016-2313 CVE-2016-3172 CVE-2016-3659


Three security issues have been found in cacti:

CVE-2016-2313

    auth_login.php allows remote authenticated users who use web
    authentication to bypass intended access restrictions by logging in
    as a user not in the cacti database.

CVE-2016-3172

    An SQL injection vulnerability in tree.php allows remote authenticated
    users to execute arbitrary SQL commands via the parent_id parameter in
    an item_edit action.

CVE-2016-3659

    An SQL injection vulnerability in graph_view.php allows remote
    authenticated users to execute arbitrary SQL commands via the
    host_group_data parameter.


For Debian 7 "Wheezy", these problems have been fixed in version
0.8.8a+dfsg-5+deb7u9.

We recommend that you upgrade your cacti packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXlpRkAAoJEJ1GxIjkNoMC4UkP/0mVCPUjcoNJbZ5fXAURks1b
HIt3l8Oc4lxqKhyXvTVLKBuQ+P3y7g12ttj24QTDYd8Eiq0wSdl+1goBdoVy5sKy
CwWBpkw7Q0tdzJDUv/+VWOg+l+prOLMLzP4B5bI1lwRoj67DMBv7sND+rI4X3pnY
B5C7o2SaSdzaP+flycQ+7isytBBJCswXLmYVf8tNdpagiQ+AYSvy/rtjWF41VAhg
152G6DWxJGwQtrkDc3fzbYNrwrJmqoNoLRPSQAqzDlOOPWfE/qHkFVN5yX/CbBR0
Hcp15umtOnZXSWFpozlIxvIXR3JZRhdWvQxFw514RHWiA2ICE/HRsORMmWUGSRPq
AJ9Af7lo8UpcRVh33DQt2QrU8aJQPRIMRilywCm1G99NMlJ87UqTd+HmaEQ1Fqvp
r2DwEyFGWU3AXm6ENzVVI26o8pSFuMaWW7nrjhd3+eKYKd8KTCwKvKAvcqao+n6u
LvMsLbnfKBe//NJ/GeaimqM4v5w1X1tLQhZSzKAYgzgryw/G1IOTKiOO345WsJ9Q
5Sx45svp93T8MUWkUmxL9dHhu/s3LFjgYN1T9UkMxbneE5GGNIkuYr9IsVmGgpaT
RP7nm3ku9JoSxPDrR995n8nyTQaQb9B3xarq8ZPydweLC5vpYxekN9egqu/Qb9AV
uH50CbusqWQRPQB2N466
=1bMM
-----END PGP SIGNATURE-----
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds