-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 29 Dec 2022 22:40:43 +0100 Source: cacti Architecture: source Version: 1.2.2+ds1-2+deb10u5 Distribution: buster-security Urgency: high Maintainer: Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org> Changed-By: Guilhem Moulin <guilhem@debian.org> Closes: 951832 1008693 1025648 Changes: cacti (1.2.2+ds1-2+deb10u5) buster-security; urgency=high . * Non-maintainer upload by the LTS Security Team. * CVE-2022-46169: A command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a poller_item with the action type POLLER_ACTION_SCRIPT_PHP (2) is configured. (Closes: #1025648) * CVE-2022-0730: Under certain LDAP conditions, Cacti authentication can be bypassed with certain credential types. (Closes: #1008693) * CVE-2020-25706: A cross-site scripting (XSS) vulnerability was found in templates_import.php. * CVE-2020-23226: Multiple Cross Site Scripting (XSS) vulneratiblities were found in reports_admin.php (1x), data_queries.php (2x), data_input.php (3x), graph_templates.php (4x), graphs.php (5x), reports_admin.php (6x), and data_input.php (7x). * CVE-2020-8813: A guest user with the graph real-time privilege could execute arbitrary OS commands via shell metacharacters in a cookie. It remains unclear how PHP 7.2 and later are affected. (Closes: #951832) Checksums-Sha1: 08ea0ddd36d7fa1fbdf5df4f5724bad46c5e8939 2483 cacti_1.2.2+ds1-2+deb10u5.dsc 5bcf2410f398f22ea55696428dfdc9f033303e0c 12751572 cacti_1.2.2+ds1.orig-docs-source.tar.gz d0a763c27c1c9778e782a14abae3075dbfd3c8a7 3702668 cacti_1.2.2+ds1.orig.tar.xz 7880fe113c6ed9db6a79dff80c5a71cd0c5abcc2 77956 cacti_1.2.2+ds1-2+deb10u5.debian.tar.xz 4651f8f9f806e8a82b401be6a7f8acdae352a148 6022 cacti_1.2.2+ds1-2+deb10u5_amd64.buildinfo Checksums-Sha256: 6359608176695b02cd383f73e4329fb00fb32d38cf9d5f7e39c8c9b3b4d71610 2483 cacti_1.2.2+ds1-2+deb10u5.dsc 5d94359ea0b15cfe8f96ddc9999394594563cb34de2bb500a54f7b27565b44b4 12751572 cacti_1.2.2+ds1.orig-docs-source.tar.gz 45d263e2cbc7aa40e162c35adbe45229bd231e16faf082dbc01fb36403140bef 3702668 cacti_1.2.2+ds1.orig.tar.xz 4e0c38f4c842fbaa611d56c8201d791990c82932e249a0d9070b6cf402895354 77956 cacti_1.2.2+ds1-2+deb10u5.debian.tar.xz fae9589002ea62cadfc6a0358e8e8f05eb0e0e3daa58f03a8b82984919584418 6022 cacti_1.2.2+ds1-2+deb10u5_amd64.buildinfo Files: 3e20d29e3dd54058215c82bd0586e254 2483 web optional cacti_1.2.2+ds1-2+deb10u5.dsc ebdf0461474378c083051b44ce15aa34 12751572 web optional cacti_1.2.2+ds1.orig-docs-source.tar.gz b14ae7d08f482659a44d76cbeca91ebd 3702668 web optional cacti_1.2.2+ds1.orig.tar.xz be0686d50010938905b3b126af6abbdb 77956 web optional cacti_1.2.2+ds1-2+deb10u5.debian.tar.xz ed447d3c6c2aa65c949023540c69e1ca 6022 web optional cacti_1.2.2+ds1-2+deb10u5_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmOvdFUACgkQ05pJnDwh pVJ8Fw//TSUPyYHItZ64hO5x9+X4zCeoty+Qukxxo9sdyNG9aCuNIddBGaVdu5LF hjtY93MYJkilbJ7bCk9WWdrtGuMvx6dLkbAZ5/8cDwWAVw7+D0pEqo4qfsxEmJTi STeyZ07jdyi2HNlDKQoLqyhkKfl2OfU9jeIt0xexl1fIr1YtKaXOjaGVOVrOBm/T Kj/VSDtcYznvYoAn1Vrg7rbhG9eHI96lbvl0A856Iluzw0E1R+CV3KHsyuoxPq+3 ANfpuL3kQMIGEvKV6EzfZvBRl36bRRYjnbixb6qMtoePGVXbgR2SSrZGNUKxuMXL skEq4bztQvxV5BX7U5IqaOYzjtL/+GFuIORdpEO1o5HXIH/9tDsw+iuQNdQLdafd hyVQgf7/sMROAR24TIzWoSnrEBGoUACA2UWiDNXyZa7Pg2KOK9+jT9zPiVgoPmVR m5g+4kRevbRAgAKZB/GzoBTAnL8KJ/l4r2VYIIdJBWJQRnFLMt54oXKGFhzWJ0vZ ipd22ORGxjmwGnlEuMowyuWIoeczWt8Mdy+qYtQkBWWXItAA3KNFqLQCoS6FFL9W qd2fGVTmMXvJ8rALjcnVEv5Tv7VxTGEZcg6zp5Q38J9A6r7fjDwmRxT+x8fH31rK bby5/0QovXDS22KdyAQ2oMhPoUOlpY2W0ZEjACrRzZ7moYYEufQ= =oyye -----END PGP SIGNATURE-----