Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-changes@lists.debian.org>
Subject: Accepted cacti 1.2.2+ds1-2+deb10u3 (source) into proposed-updates->stable-new, proposed-updates
Date: Thu, 09 Jul 2020 19:17:09 +0000
Signed by: Paul Gevers <elbrus@debian.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 18 Jun 2020 22:34:41 +0200
Source: cacti
Architecture: source
Version: 1.2.2+ds1-2+deb10u3
Distribution: buster
Urgency: medium
Maintainer: Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
Changed-By: Paul Gevers <elbrus@debian.org>
Closes: 949996 949997
Changes:
 cacti (1.2.2+ds1-2+deb10u3) buster; urgency=medium
 .
   * Unix timestamps after Sep 13 2020 are rejected as graph start/end
     arguments (Upstream bug #3245)
   * CVE-2020-7237: Remote Code Execution (by privileged users) via shell
     metacharacters in the Performance Boost Debug Log field of
     poller_automation.php. OS commands are executed when a new poller
     cycle begins. The attacker must be authenticated, and must have access
     to modify the Performance Settings of the product. (Closes: #949997)
   * CVE-2020-7106: XSS in data_sources.php, color_templates_item.php,
     graphs.php, graph_items.php, lib/api_automation.php, user_admin.php,
     and user_group_admin.php, as demonstrated by the description parameter
     in data_sources.php (a raw string from the database that is displayed
     by $header to trigger the XSS). (Closes: #949996)
   * CVE-2020-13230: Disabling an user account does not immediately
     invalidate any permissions granted to that account (e.g., permission
     to view logs)
   * CVE-2020-13231: auth_profile.php?action=edit allows CSRF for an admin
     email change
Checksums-Sha1:
 776e1f8104f9608392149eac349892aeaa3c629c 2261 cacti_1.2.2+ds1-2+deb10u3.dsc
 7a5d661d63bc2dba0120ec874b77ddf574bcc4d6 66172 cacti_1.2.2+ds1-2+deb10u3.debian.tar.xz
Checksums-Sha256:
 b9b4889ddd6c1ca37f9f89ae53f82a19f4178cde1b4a85a439486a311d5b47cf 2261 cacti_1.2.2+ds1-2+deb10u3.dsc
 fdea59cd06101307c0f338b0c18e4db11831118a6d6c23db28fe2358b9142c52 66172 cacti_1.2.2+ds1-2+deb10u3.debian.tar.xz
Files:
 62001e04fb7ce7a1edcfbf813c59d241 2261 web optional cacti_1.2.2+ds1-2+deb10u3.dsc
 fac92e683ab5c6eb93076bb4b80c7f7c 66172 web optional cacti_1.2.2+ds1-2+deb10u3.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAl7+NIQACgkQnFyZ6wW9
dQqvDwgApuvAT7SYNhiEpEgwxJTAI8z5oiFiEFjgVULd2O/aYboRMbnKjbYZ+xqR
RM/OmDest4SCeqtSI4KxOqnDdIANvMGd7lRufV1krZU1f626gql3TvpqJve+/YL/
ZzoDeWQHL1apH0tKpOBO/0uVonrhyhlTyI9eZ6hjRcg6u0iwpRf3f+LWH6NMFvBb
qDUGyVWXlNJ1qn40lb3DJi+4FnaxzpdcjYTdr/S4KBwpbgL4gMjxBVecM65w5yyq
33sgNEIEql7AHXbwaGixNfStSO6Barq7ygolqIbdVqvsbxMQWeg12zkP+vPU1JA4
ZjCwsw3cBk1je4DoXu2xFUqOH8pAuA==
=OyYc
-----END PGP SIGNATURE-----

News for package cacti