Two cross-site scripting (XSS) flaws and an SQL injection flaw were reported[1] in Cacti versions 0.8.8b and lower. The versions of Cacti shipped with Fedora and EPEL are affected by these flaws. References: https://bugs.gentoo.org/show_bug.cgi?id=482424 0.8.8 fix: http://svn.cacti.net/viewvc?view=rev&revision=7420 0.8.9 fix: http://svn.cacti.net/viewvc?view=rev&revision=7421 [1] http://bugs.cacti.net/view.php?id=2383
The CVE request: http://seclists.org/oss-sec/2013/q3/487 CVE-2013-5588 was assigned to the XSS issues. CVE-2013-5589 was assigned to the SQL injection issue.
Created cacti tracking bugs for this issue: Affects: fedora-all [bug 1000863] Affects: epel-all [bug 1000864]
I am pushing 0.8.8b-2 to Fedora ASAP. For EPEL 5 and 6, we're still waiting out the two week epel-testing clock on 0.8.8b-1, which can only go to stable on Aug 28th at the earliest. Once 0.8.8b-1 goes to stable in EPEL, I plan to push 0.8.8b-2 to EPEL 5 and 6.
Thanks for the fast response Ken!
Looks like I miscounted the dates for 0.8.8b-1, so I was only able to submit it to epel-stable this afternoon. I'll submit 0.8.8b-2 to epel-testing as soon as releng signs and pushes 0.8.8b-1 (24 hours or so).
cacti-0.8.8b-2.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
cacti-0.8.8b-2.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
cacti-0.8.8b-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
cacti-0.8.8b-2.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.