Changelog
cacti (0.8.6i-3ubuntu0.1) feisty-security; urgency=low
* SECURITY UPDATE: (LP: #164072)
+ CVE-2007-6035: SQL injection vulnerability in Cacti before 0.8.7a allows
remote attackers to execute arbitrary SQL commands via unspecified
vectors.
+ CVE-2007-3112: Cacti 0.8.6i, and possibly other versions, allows remote
authenticated users to cause a denial of service (CPU consumption) via a large
value of the (1) graph_start or (2) graph_end parameter.
+ CVE-2007-3113: Cacti 0.8.6i, and possibly other versions, allows remote
authenticated users to cause a denial of service (CPU consumption) via a large
value of the (1) graph_height or (2) graph_width parameter.
* debian/patches/10_CVE-2007-6035.dpatch: applied patch by upstream
(Link: http://www.cacti.net/downloads/patches/0.8.6j/sec_sql_injection-0.8.6j.patch)
* debian/patches/10_CVE-2007-3112+CVE-2007-3113.dpatch:
- Applied patch by upstream
- Link: http://svn.cacti.net/cgi-bin/viewvc.cgi/cacti/branches/0.8.7/graph_image.php?r1=3898&r2=3956&view=patch
* References:
CVE-2007-6035
CVE-2007-3112
CVE-2007-3113
-- Stephan Hermann <email address hidden> Tue, 20 Nov 2007 15:57:18 +0100