Debian Package Tracker

From: Paul Gevers <elbrus@debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted cacti 1.1.27+ds1-3 (source) into unstable
Date: Tue, 14 Nov 2017 20:49:34 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 14 Nov 2017 20:14:34 +0100
Source: cacti
Binary: cacti
Architecture: source
Version: 1.1.27+ds1-3
Distribution: unstable
Urgency: medium
Maintainer: Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
Changed-By: Paul Gevers <elbrus@debian.org>
Description:
 cacti      - web interface for graphing of monitoring systems
Closes: 881110
Changes:
 cacti (1.1.27+ds1-3) unstable; urgency=medium
 .
   * CVE-2017-16641: remote authenticated administrators can execute
     arbitrary os commands via the path_rrdtool parameter in an action=save
     request to settings.php (Closes: #881110)
   * CVE-2017-16660: remote authenticated administrators can conduct Remote
     Code Execution attacks by placing the Log Path under the web root, and
     then making a remote_agent.php request containing PHP code in a
     Client-ip header
   * CVE-2017-16661: remote authenticated administrators can read arbitrary
     files accessible by the web-server user by placing the Log Path into a
     private directory, and then making a clog.php?filename= request
   * CVE-2017-16785: reflected XSS via the PATH_INFO to host.php
     (reintroduction of CVE-2017-15194)
   * Bump standards to 4.1.1
   * Set Priority to optional
Checksums-Sha1:
 6da0c05e6b24552f8e3f4c0d995152531237f5e1 2134 cacti_1.1.27+ds1-3.dsc
 e0d1f509fb465f2c1676b254fc0d5b1362e9f7f5 56092 cacti_1.1.27+ds1-3.debian.tar.xz
Checksums-Sha256:
 9d77784c2545398d29f325c99764b1aebeb8966bb7d12e5c0dda78e7673306f3 2134 cacti_1.1.27+ds1-3.dsc
 519db95eb5fd254f309faad31aaeb2d79fa1b2bbe8a8c604aa8b8fdcc7203f44 56092 cacti_1.1.27+ds1-3.debian.tar.xz
Files:
 2f7335b2759d8227a2b170074abf98de 2134 web optional cacti_1.1.27+ds1-3.dsc
 fd6375c1fc789d1654364421b949f5ac 56092 web optional cacti_1.1.27+ds1-3.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAloLTQwACgkQnFyZ6wW9
dQpdEQgArlYK+cTh13PDHWpBbVGsg2TSH6vkIPQXUbM10uTcKHvgbd+vF83tYoh2
PQ+KHUImJhDc0Kd6bVfk9TixKG0KAm3FQ4sMleNCtQugoDKeR1qPadEbXlZB1GNp
AqgAUvYfWWPF1u4bi/ZCB+WJULOeiU8J2WNCa64ppbSUpQLy2JD9kHaRuypYw3YQ
8KkC0eY7dTsaDzpjkQOYjZLXKiivvTRDh3oUYJ88mPJDcXIziC2a6in4lWUcQyho
/fker79akY1cL6KDKoOdff8iq86V1h9WD9aLWetZu/SEw96ysWHHvu0fmM9IJmHa
uEs97E9RHMxHHnsik8P970Z1cxUwag==
=x3y5
-----END PGP SIGNATURE-----
News for package cacti
