75088 2002-09-10 17:12 /81 rader/ Martin Schulze <joey@infodrom.org> Importerad: 2002-09-10 17:12 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Externa svar till: listadmin@securityfocus.com Mottagare: Bugtraq (import) <1439> Ärende: [SECURITY] [DSA 164-1] New cacti package fixes arbitrary code execution ------------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 164-1 security@debian.org http://www.debian.org/security/ Martin Schulze September 10th, 2002 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : cacti Vulnerability : arbitrary code execution Problem-Type : remote Debian-specific: no A problem in cacti, a PHP based frontend to rrdtool for monitoring systems and services, has been discovered. This could lead into cacti executing arbitrary program code under the user id of the web server. This problem, however, is only persistant to users who already have administrator privileges in the cacti system. This problem has been fixed by removing any dollar signs and backticks from the title string in version 0.6.7-2.1 for the current stable distribution (woody) and in version 0.6.8a-2 for the unstable distribution (sid). The old stable distribution (potato) is not affected since it doesn't contain the cacti package. We recommend that you upgrade your cacti package immediately. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/c/cacti/cacti_0.6.7-2.1.dsc Size/MD5 checksum: 565 aba046da4e3b9f6917dee87391fbaa4f http://security.debian.org/pool/updates/main/c/cacti/cacti_0.6.7-2.1.diff.gz Size/MD5 checksum: 22852 c64a46a82dfd21ff0fd87f4effcae23c http://security.debian.org/pool/updates/main/c/cacti/cacti_0.6.7.orig.tar.gz Size/MD5 checksum: 206608 b004ac1ca1dd18737f0fa685fe18737c Architecture independent components: http://security.debian.org/pool/updates/main/c/cacti/cacti_0.6.7-2.1_all.deb Size/MD5 checksum: 209658 d63265f2a6606893ac9d1e3a6539c20d These files will probably be moved into the stable distribution on its next revision. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9ffYmW5ql+IAeqTIRAji6AJ9D856nAGV1E3EahRTbQRXFd6hqqQCeMYes X5daxHr4fAhvJDtvtUOsllU= =nKcE -----END PGP SIGNATURE----- (75088) /Martin Schulze <joey@infodrom.org>/--------