Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.0701 graphite-web security update 7 February 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: graphite-web Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2022-4730 CVE-2022-4729 CVE-2022-4728 Original Bulletin: https://lists.debian.org/debian-lts-announce/2023/02/msg00003.html Comment: CVSS (Max): 5.4 CVE-2022-4730 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3309-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Chris Lamb February 06, 2023 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : graphite-web Version : 1.1.4-3+deb10u2 CVE IDs : CVE-2022-4728 CVE-2022-4729 CVE-2022-4730 Debian Bug : 1026992 It was discovered that there were a number of issues in graphite-web, a tool provide realtime graphing of system statistics etc. A series of cross-site scripting (XSS) vulnerabilties existed that could have been exploited remotely. Issues existed in the Cookie Handler, Template Name Handler and Absolute Time Range Handler components. For Debian 10 buster, these problems have been fixed in version 1.1.4-3+deb10u2. We recommend that you upgrade your graphite-web packages. For the detailed security status of graphite-web please refer to its security tracker page at: https://security-tracker.debian.org/tracker/graphite-web Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmPhbBUACgkQHpU+J9Qx Hlhd2Q//WCgFbzbyZ8l2PCPbLbUw2al3dvCBOpQGMnircZMhrUhsks0H7EruHdNK GQs9oxLzYEXANmxT9yBPjIPz6ndEkfRVF+02U/XVY5JmkEZpOjgoQJkdAiq49vJH nHh2bpoaVFk/F2e16QGKIJL2tWgrIOWjqmub5oncIiCsH/Hs5O6OVNaghBm4NPac GEzOls/q6VPRN2NqGH9j47l/KQrkw9Z+3pM+C+F64cX5zTXjzrF9HJs5MHdbRlnR TzA/x3aZnToL7pXArn5+NsOpV4aJcxpIM/Y/m3NA0FiXaQUXWY1w8lDKDdAvQcTL +VioO53cJ6dRgfIZxDmpJ3piQo0wIB8qhmaY0RZiXqOntbnmhdKwXHV8W9Zncke8 nHqOI+8DUXL6KIJxLnIrXwiUY75UqbkOtBPCk1Ag4c6zCL+GpKJHnxnzyYD4RBYH NNwof6m63IpfuxWWmZPChja9AbUIpc6qE3i4lU0JcDAWRHmpRjsXUiwp/bVdD4aX 25j8js0nsUD3iWFEoz1v47zf8IVEb4JGAeswiUEwIIm7DvSSpn2cum8NbjT6sdJo O2pX0L5ghmnPQoaLiNTrQf9/IlveiF9AzhYjlqQomOGqesL9YWYCZ5RAG7n2phR+ pVp6jIAte7rJfLSELpE1J5UTEDPWX5w/aGWqbuMsu1blg9nOjIo= =YIF4 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY+HO5skNZI30y1K9AQhE5Q/+Ij/O6csIihVj147L0VsWG2GZQPGgUqYY Qmp4TawrUaQHzSwpXr97LFl034amhgGygk9VkYxIsvO+i09d7mI0Vjt0tuWLVvlx x2xSe9q0y6BmsDRRKE5ru6arMgZCuqAqwOBnP5+Xp2IS4RFbXRzlH7dJaMYb63xe rE/DnXXbgDCrAejHFX2x8DGdc/3rXP6mZBWEpYcZAgwaD/Uwdda6+4rNPT86inoy 9HOBbaVqmMMe3Sjt3KKsP+y0JtKDA0E0BXFnuVdmlOB5a6qWPKdMZj1T0NjDGioG hyQLbmFtZZpS7Aq2OZ4eW6V8NF0vPL7OA6wZuNR8OsMMd/vfudgo+nwL3YrZFdQd qNHcxQa7Ch+cPaVvPMtY5UaeMx50hElYANWpkWbnD+fQdvoEVkgJUvnkip8+ILwr EejUE8MfQxFE8XCeSWF8Loqb3zpdpY6CUWRoOYzxV2c+dWwSFUMOKEOFC2+Yrp0o iOhsG7Z4v3kngGgFj3PPqugTlkHd+PhPiAHw1KorIVbje0XTaGsaejrKxKbZGdgH 6PrjJrGOAMzwbAGDp6ywKEp8ikpgMd2vLaFcuoD1HlT2xYGiynS8kYg6Xruu+fsZ eBeyY2P9oN2ar+4ycKruzTAO8hX19sBhfNppRW6GZLVAl5oocGvupuR3St5MGYJJ i7kbrh8c4a8= =5mRy -----END PGP SIGNATURE-----