Bugzilla – Bug 937997
VUL-0: CVE-2015-4634: cacti: multiple SQL injection flaws fixed in 0.8.8e
Last modified: 2018-08-03 22:12:14 UTC
From http://www.cacti.net/release_notes_0_8_8e.php Release Notes - 0.8.8e Important Security Fixes Multiple XSS and SQL injection vulnerabilities CVE-2015-4634 - SQL injection in graphs.php Changelog bug: Fixed issue with graph zooming failing to work bug: Fixed various SQL Injection vectors bug#0002569: Impossible to have a URL pointing directly to a graph bug#0002574: SQL Injection Vulnerabilities in graph items and graph template items bug#0002577: CVE-2015-4634 - SQL injection in graphs.php bug#0002579: SQL Injection Vulnerabilities in data sources bug#0002580: SQL Injection in cdef.php bug#0002582: SQL Injection in data_templates.php bug#0002583: SQL Injection in graph_templates.php bug#0002584: SQL Injection in host_templates.php bug#0002586: Cannot delete data sources from the GUI bug#0002592: graph_view.php - viewing host in new tab - Undefined index: nodeid bug#0002594: status_fail_date and status_rec_date are set incorrectly after host is marked down bug#0002597: Incorrect value in Hosts column on Host Templates page bug#0002598: Incorrect row number in Devices -> (Edit) page server:monitoring/cacti 0.8.8d affected openSUSE:13.1:Update/cacti 0.8.8d affected openSUSE:13.2:Update/cacti 0.8.8d affected openSUSE:Factory/cacti 0.8.8d affected References: https://bugzilla.redhat.com/show_bug.cgi?id=1242866 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4634 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4634
bugbot adjusting priority
Please review: https://build.opensuse.org/request/show/317435 https://build.opensuse.org/request/show/317436
Further CVEs requested: http://seclists.org/oss-sec/2015/q3/150 CVE-2015-4634 was assigned for an SQL injection in cacti [0], but according to the commit fixing it [1] several other SQL injections were also found: -bug#0002574: SQL Injection Vulnerabilitie in graph items and graph template items http://bugs.cacti.net/view.php?id=0002574 -bug#0002579: SQL Injection Vulnerabilitie in data sources http://bugs.cacti.net/view.php?id=0002579 -bug#0002580: SQL Injection in cdef.php http://bugs.cacti.net/view.php?id=0002580 -bug#0002582: SQL Injection in data_templates.php http://bugs.cacti.net/view.php?id=0002582 -bug#0002583: SQL Injection in graph_templates.php http://bugs.cacti.net/view.php?id=0002583 -bug#0002584: SQL Injection in host_templates.php http://bugs.cacti.net/view.php?id=0002584
This is an autogenerated message for OBS integration: This bug (937997) was mentioned in https://build.opensuse.org/request/show/317577 Factory / cacti
Releasing update
openSUSE-SU-2015:1285-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 937997 CVE References: CVE-2015-4634 Sources used: openSUSE 13.2 (src): cacti-0.8.8e-4.10.1 openSUSE 13.1 (src): cacti-0.8.8e-14.1
This is an autogenerated message for OBS integration: This bug (937997) was mentioned in https://build.opensuse.org/request/show/625957 Backports:SLE-12 / cacti
openSUSE-OU-2018:2194-1: An update that fixes 33 vulnerabilities is now available. Category: optional (low) Bug References: 022564,1047512,1048102,1050950,1051633,1054390,1054742,1067163,1067164,1067166,1068028,1101024,1101139,837440,862993,867607,870821,872008,934187,937997,958863,958977,960678,965930,971357,974013 CVE References: CVE-2006-6799,CVE-2007-3112,CVE-2007-3113,CVE-2013-5588,CVE-2013-5589,CVE-2014-2326,CVE-2014-2327,CVE-2014-2328,CVE-2014-2708,CVE-2014-2709,CVE-2014-4000,CVE-2014-4002,CVE-2014-5025,CVE-2014-5026,CVE-2015-4342,CVE-2015-4634,CVE-2015-8369,CVE-2015-8377,CVE-2015-8604,CVE-2016-2313,CVE-2016-3172,CVE-2016-3659,CVE-2017-10970,CVE-2017-11163,CVE-2017-11691,CVE-2017-12065,CVE-2017-12927,CVE-2017-12978,CVE-2017-15194,CVE-2017-16641,CVE-2017-16660,CVE-2017-16661,CVE-2017-16785 Sources used: SUSE Package Hub for SUSE Linux Enterprise 12 (src): cacti-1.1.38-2.1