Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.0701
graphite-web security update
7 February 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: graphite-web
Publisher: Debian
Operating System: Debian GNU/Linux
Resolution: Patch/Upgrade
CVE Names: CVE-2022-4730 CVE-2022-4729 CVE-2022-4728
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2023/02/msg00003.html
Comment: CVSS (Max): 5.4 CVE-2022-4730 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
CVSS Source: NVD
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-3309-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
February 06, 2023 https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------
Package : graphite-web
Version : 1.1.4-3+deb10u2
CVE IDs : CVE-2022-4728 CVE-2022-4729 CVE-2022-4730
Debian Bug : 1026992
It was discovered that there were a number of issues in graphite-web,
a tool provide realtime graphing of system statistics etc.
A series of cross-site scripting (XSS) vulnerabilties existed that
could have been exploited remotely. Issues existed in the Cookie
Handler, Template Name Handler and Absolute Time Range Handler
components.
For Debian 10 buster, these problems have been fixed in version
1.1.4-3+deb10u2.
We recommend that you upgrade your graphite-web packages.
For the detailed security status of graphite-web please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/graphite-web
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmPhbBUACgkQHpU+J9Qx
Hlhd2Q//WCgFbzbyZ8l2PCPbLbUw2al3dvCBOpQGMnircZMhrUhsks0H7EruHdNK
GQs9oxLzYEXANmxT9yBPjIPz6ndEkfRVF+02U/XVY5JmkEZpOjgoQJkdAiq49vJH
nHh2bpoaVFk/F2e16QGKIJL2tWgrIOWjqmub5oncIiCsH/Hs5O6OVNaghBm4NPac
GEzOls/q6VPRN2NqGH9j47l/KQrkw9Z+3pM+C+F64cX5zTXjzrF9HJs5MHdbRlnR
TzA/x3aZnToL7pXArn5+NsOpV4aJcxpIM/Y/m3NA0FiXaQUXWY1w8lDKDdAvQcTL
+VioO53cJ6dRgfIZxDmpJ3piQo0wIB8qhmaY0RZiXqOntbnmhdKwXHV8W9Zncke8
nHqOI+8DUXL6KIJxLnIrXwiUY75UqbkOtBPCk1Ag4c6zCL+GpKJHnxnzyYD4RBYH
NNwof6m63IpfuxWWmZPChja9AbUIpc6qE3i4lU0JcDAWRHmpRjsXUiwp/bVdD4aX
25j8js0nsUD3iWFEoz1v47zf8IVEb4JGAeswiUEwIIm7DvSSpn2cum8NbjT6sdJo
O2pX0L5ghmnPQoaLiNTrQf9/IlveiF9AzhYjlqQomOGqesL9YWYCZ5RAG7n2phR+
pVp6jIAte7rJfLSELpE1J5UTEDPWX5w/aGWqbuMsu1blg9nOjIo=
=YIF4
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY+HO5skNZI30y1K9AQhE5Q/+Ij/O6csIihVj147L0VsWG2GZQPGgUqYY
Qmp4TawrUaQHzSwpXr97LFl034amhgGygk9VkYxIsvO+i09d7mI0Vjt0tuWLVvlx
x2xSe9q0y6BmsDRRKE5ru6arMgZCuqAqwOBnP5+Xp2IS4RFbXRzlH7dJaMYb63xe
rE/DnXXbgDCrAejHFX2x8DGdc/3rXP6mZBWEpYcZAgwaD/Uwdda6+4rNPT86inoy
9HOBbaVqmMMe3Sjt3KKsP+y0JtKDA0E0BXFnuVdmlOB5a6qWPKdMZj1T0NjDGioG
hyQLbmFtZZpS7Aq2OZ4eW6V8NF0vPL7OA6wZuNR8OsMMd/vfudgo+nwL3YrZFdQd
qNHcxQa7Ch+cPaVvPMtY5UaeMx50hElYANWpkWbnD+fQdvoEVkgJUvnkip8+ILwr
EejUE8MfQxFE8XCeSWF8Loqb3zpdpY6CUWRoOYzxV2c+dWwSFUMOKEOFC2+Yrp0o
iOhsG7Z4v3kngGgFj3PPqugTlkHd+PhPiAHw1KorIVbje0XTaGsaejrKxKbZGdgH
6PrjJrGOAMzwbAGDp6ywKEp8ikpgMd2vLaFcuoD1HlT2xYGiynS8kYg6Xruu+fsZ
eBeyY2P9oN2ar+4ycKruzTAO8hX19sBhfNppRW6GZLVAl5oocGvupuR3St5MGYJJ
i7kbrh8c4a8=
=5mRy
-----END PGP SIGNATURE-----