-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 20 Nov 2017 20:34:23 +0100 Source: cacti Binary: cacti Architecture: source Version: 1.1.27+ds1-3~bpo9+1 Distribution: stretch-backports Urgency: medium Maintainer: Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org> Changed-By: Paul Gevers <elbrus@debian.org> Description: cacti - web interface for graphing of monitoring systems Closes: 881110 Changes: cacti (1.1.27+ds1-3~bpo9+1) stretch-backports; urgency=medium . * Rebuild for stretch-backports. . cacti (1.1.27+ds1-3) unstable; urgency=medium . * CVE-2017-16641: remote authenticated administrators can execute arbitrary os commands via the path_rrdtool parameter in an action=save request to settings.php (Closes: #881110) * CVE-2017-16660: remote authenticated administrators can conduct Remote Code Execution attacks by placing the Log Path under the web root, and then making a remote_agent.php request containing PHP code in a Client-ip header * CVE-2017-16661: remote authenticated administrators can read arbitrary files accessible by the web-server user by placing the Log Path into a private directory, and then making a clog.php?filename= request * CVE-2017-16785: reflected XSS via the PATH_INFO to host.php (reintroduction of CVE-2017-15194) * Bump standards to 4.1.1 * Set Priority to optional . cacti (1.1.27+ds1-2) unstable; urgency=medium . * Add upstream commit b44eb52 as 0001-Another-crack-at-issue-1039.patch because they likely reintroduced part of CVE-2017-15194. Thanks to autopkgtest . cacti (1.1.27+ds1-1) unstable; urgency=medium . * New upstream version 1.1.27 - Drop CVE-2017-15194.patch again * [tests] Add new note to list of exceptions to fix failure Checksums-Sha1: 2d6f88e72ce4c9f739447df09b520aa6ca520bfa 2162 cacti_1.1.27+ds1-3~bpo9+1.dsc 6eea15fcbafd6a8e6df1b3d8c9623be911c0fe1c 56124 cacti_1.1.27+ds1-3~bpo9+1.debian.tar.xz Checksums-Sha256: 5ccbc8b2346cd4b5d352cf56122df6c25ac801f62c60be147f1de8d95b5beaac 2162 cacti_1.1.27+ds1-3~bpo9+1.dsc 9b8b59dfe505c4b251a90762d4a4594411ff618feb8d8ef310d26ae5e99e50f8 56124 cacti_1.1.27+ds1-3~bpo9+1.debian.tar.xz Files: 44e9ae2f3d7645b00e96b62113d76c62 2162 web optional cacti_1.1.27+ds1-3~bpo9+1.dsc 90d57ca02865f10b5469db7432e63c7a 56124 web optional cacti_1.1.27+ds1-3~bpo9+1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAloTLx0ACgkQnFyZ6wW9 dQrllAgArz3uCCMjo8flzm0WXlQyK2OhQw81y8gZt8BuhZQa/ZoRWPDztX7MAVqT r87VXuo2Xs8bHAC/gmG7TaFrayXwKiWWEru1kSvoCOdnU3b5eJ/pn55O71npqnak 3g8CSEj7ehqtM5WVV1BRx5uJoLdFWolvWbvHxlqBgxi16bTCqwa2djvqXJ923WOE CVbWtHouvoQzd0v58GBszzqZXawgRaBA5Wt7TLlJtFrgetex8GKca3u1KYbx2wem TIUvlz4FV21BReVWfT4lGrrUzM2G4OTeF8ERFihZzBqvibkZ6CwdxEEaHT6EDHvb XoMa30+lEEUFvro309nXiSZIzEocMw== =PmUr -----END PGP SIGNATURE-----
