Hi Emilio [By the way, I read debian-lts, so no need to mail me directly, dropped your To: as well]. On 26-06-16 10:40, Emilio Pozuelo Monfort wrote: >> I believe CVE-2016-2313 should be included in this fix. > > Certainly! I have backported the fix and included in this new debdiff. Looks good to me (but I haven't tested). > Unfortunately I'm not sure how to trigger the bug. For one thing, you have to change the authentication scheme, (maybe remove the template, not sure if one is included by default), and log into cacti with a valid http user (but non-existing cacti user). > Ah, nice. I don't think we have ci.debian.net running for wheezy, but this can > be useful to do some basic testing after an update. It was for the last point that I mentioned it. As cacti before the current stretch package didn't run out-of-the-box, it would require additional logic to even work on a CI framework (such as making sure that the admin password is the same as the cacti/www-data password and actually configuring the cacti pages). But if cacti works on your VM, it should be simple to run the test (usually takes several minutes though). My intention is to add tests for all the CVE's that I fix as well, but as you can see in the test, I wasn't successful with CVE-2016-3659, however, a check for CVE-2016-3172 is in. Paul
Attachment:
signature.asc
Description: OpenPGP digital signature