-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.0048
           [UNIX/Linux][Debian] cacti: Multiple vulnerabilities
                              7 January 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           cacti
Publisher:         cacti
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-17358 CVE-2019-17357 

Reference:         ESB-2019.4637

Original Bulletin: 
   https://github.com/Cacti/cacti/releases/tag/release%2F1.2.8

- --------------------------BEGIN INCLUDED TEXT--------------------

Release of Cacti 1.2.8: This release addresses two CVE's that were reported. For more
information see the changelog.

Change Log

  - CVE-2019-17357 When viewing graphs, some input variables are
    not properly checked (SQL injection possible)
  - CVE-2019-17358 When deserializating data, ensure basic
    sanitization has been performed.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXhQE6GaOgq3Tt24GAQjRWBAAiAXTc/rtgVXr3S6bvvEmwvU9Hxjdn0AZ
Aqy6Ub3d70y/htyuD+kMT9L7FRPdWc4qOieinJZz2J9525b4kSpADdyY+qTRthjT
92DzUezXTKS8Y8X6vMdlhcxVI6zF263HHe6mjeYhUtxJIrRKKh3qRPM30Ka4kEd9
d2vhBJYp1A3JzMJ8ND9J5mVKI084NYl4gU9eStzeEuv9d+pmb3qatkJnvmt4xfhd
YP4oDf6RyWu96s9SqHL7n5WSaTzOPIdCErLJKA4aTB8c1LdYo2GS/nTCLf4FVZNL
4AMI9hnDjBIo9rl3FViRF91Eold7iYfr/dmq8KjV3lDYHtQjoclGr3gZ6VDayaqw
PecxpigUwgORKXNpwMremquyM+/pHJWH0xCyQ1hSUEifssxBLAs3L2o7Qt1crGQc
/tn6iEz9SkFUj7kFpP+d23dAq8GPqU9oiinsD36agcsBaR2HJ7WM2L6BLgLZWj+Y
XxA9wD2/8scYjzPuVtPMPq9h8YM84jPiBX4TyUvIo5ztFBEVfOii5+jjD5HGHuIm
Mpk6Rb6SMEv4pHFGMcTABogIEm+m210rIdJEHF9mlfej83z8rCeRM9WC9FsjiFaE
PrnRwNrpOIh7g8qQbLNzoBvqAu/02JpzyLriOnvuDGnq0SnSV0i0ocXX1jYRHAzX
gV+bg2zzHGs=
=qwIz
-----END PGP SIGNATURE-----