Debian Long Term Support / LTS Security Information / 2015 / Security Information -- DLA-278-1 cacti

Debian Security Advisory

DLA-278-1 cacti -- LTS security update

Date Reported:

20 Jul 2015

Affected Packages:

cacti

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2015-4634.

More information:

Several SQL injection vulnerabilities were discovered in cacti, a frontend to rrdtool for monitoring systems and service:

• CVE-2015-4634

  SQL injection vulnerability in Cacti before 0.8.8e allows remote attackers to execute arbitrary SQL commands in graphs.php

  Currently unknown or unassigned CVE's SQL injection vulnerability in Cacti before 0.8.8e allows remote attackers to execute arbitrary SQL commands in cdef.php, color.php, data_input.php, data_queries.php, data_sources.php, data_templates.php, gprint_presets.php, graph_templates.php, graph_templates_items.php, graphs_items.php, host.php, host_templates.php, lib/functions.php, rra.php, tree.php and user_admin.php

For the oldoldstable distribution (squeeze), these problems have been fixed in version 0.8.7g-1+squeeze7.