Date: 17 December 2009
References: ESB-2010.0041 ESB-2010.0750
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.1649
New cacti packages fix insufficient input sanitising
17 December 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: cacti
Publisher: Debian
Operating System: Debian GNU/Linux 4
Debian GNU/Linux 5
UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2009-4112 CVE-2009-4032 CVE-2007-3113
CVE-2007-3112
Original Bulletin:
http://www.debian.org/security/2009/dsa-1954
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running cacti check for an updated version of the software for their
operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1954-1 security@debian.org
http://www.debian.org/security/ Steffen Joeris
December 16, 2009 http://www.debian.org/security/faq
- - ------------------------------------------------------------------------
Package : cacti
Vulnerability : insufficient input sanitising
Problem type : remote
Debian-specific: no
CVE Ids : CVE-2007-3112 CVE-2007-3113 CVE-2009-4032
Debian Bugs : 429224
Several vulnerabilities have been found in cacti, a frontend to rrdtool
for monitoring systems and services. The Common Vulnerabilities and
Exposures project identifies the following problems:
CVE-2007-3112, CVE-2007-3113
It was discovered that cacti is prone to a denial of service via the
graph_height, graph_width, graph_start and graph_end parameters.
This issue only affects the oldstable (etch) version of cacti.
CVE-2009-4032
It was discovered that cacti is prone to several cross-site scripting
attacks via different vectors.
CVE-2009-4112
It has been discovered that cacti allows authenticated administrator
users to gain access to the host system by executing arbitrary commands
via the "Data Input Method" for the "Linux - Get Memory Usage" setting.
There is no fix for this issue at this stage. Upstream will implement a
whitelist policy to only allow certain "safe" commands. For the moment,
we recommend that such access is only given to trusted users and that
the options "Data Input" and "User Administration" are otherwise
deactivated.
For the oldstable distribution (etch), these problems have been fixed in
version 0.8.6i-3.6.
For the stable distribution (lenny), this problem has been fixed in
version 0.8.7b-2.1+lenny1.
For the testing distribution (squeeze), this problem will be fixed soon.
For the unstable distribution (sid), this problem has been fixed in
version 0.8.7e-1.1.
We recommend that you upgrade your cacti packages.
Upgrade instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- - -------------------------------
Debian (oldstable)
- - ------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6i.orig.tar.gz
Size/MD5 checksum: 1122700 341b5828d95db91f81f5fbba65411d63
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6i-3.6.diff.gz
Size/MD5 checksum: 38419 4ee9e373817ebc32297e1c3de8fee10d
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6i-3.6.dsc
Size/MD5 checksum: 590 bb8fb25c6db1cd6a2a785f879943d969
Architecture independent packages:
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6i-3.6_all.deb
Size/MD5 checksum: 962816 9093e9f9abaa6c3dbbedad24cc1d4f7e
Debian GNU/Linux 5.0 alias lenny
- - --------------------------------
Debian (stable)
- - ---------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b.orig.tar.gz
Size/MD5 checksum: 1972444 aa8a740a6ab88e3634b546c3e1bc502f
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+lenny1.diff.gz
Size/MD5 checksum: 37232 04459452593e23c5e837920cfd0f1789
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+lenny1.dsc
Size/MD5 checksum: 1117 d67349656ce9514266e7d5d2f378a219
Architecture independent packages:
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+lenny1_all.deb
Size/MD5 checksum: 1847182 3876f128fdcc2aefa63d65531875d2ab
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAksoyH0ACgkQ62zWxYk/rQfXGwCeKMeQqicZ/LayzFqXznC2W0is
EG8AoLUxcdouXG/aTvqnfKJyWZtpA9TM
=CLbl
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFLKXSeNVH5XJJInbgRArGkAJ9D9xhoGrxXuI6y1z/fsCS4Pbo4VACffYWy
DVMGSQmRGVSKnYDscaDYDhc=
=B3Px
-----END PGP SIGNATURE-----
|