Updates to cacti for CVE-2023-39361 (CVSS 9.8)?

Thomas Ward teward at thomas-ward.net
Tue Nov 14 02:27:47 UTC 2023 

Nor is it likely a community member would be able to solve this.

I just went digging in Cacti, and even Debian was unable to get information about a pinpoint fix and patchset.

From https://github.com/Cacti/cacti/issues/5523 I am quoting their security / developers directly:

> Hi Paul,
> 
> The issue raised was listed as fixed in Cacti < 1.2.6. We did ask the researcher for more information as we couldn't reproduce this under recent Cacti versions, but we were only told that it was definitely resolved in the latest code. I don't believe there is much on that issue that isn't already released by him on his public posts about it.
> 
> We didn't do much with it, since it has already been fixed, and it seems to only affect versions outside of what we currently support. If you need more information on where to find his posts, I can send you them directly. Feel free to reach out to me on the other channels.

Debian has updated their security vulnerability data as well on this CVE (https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3288ad78351071f170dd4da4d70a8a95065cb1ce):

> It is a very unfortunate situation that the fix is not pinpointed.
> Upstream believes 1.2.6 fixes the issue. Exceptionally update the status
> according to the current discussion.

There is no fix documented on the CVE or the GHSA documentation, nor any linked data available from that other than "This was fixed in 1.2.6 after discussion between Upstream and reporting researcher."

The Ubuntu Security Team may wish to reflect this information in the CVE entry.  Per Upstream, the reporter's blog post is referring to an at the time nonexistent 1.2.25 release.  It was indicated by TheWitness (https://github.com/Cacti/cacti/issues/5523#issuecomment-1768240843) on the Cacti GitHub repository that they meant this was fixed in 1.2.6 but not present in 1.2.25 which was released since then.


Thomas


-----Original Message-----
From: Ubuntu-devel-discuss <ubuntu-devel-discuss-bounces at lists.ubuntu.com> On Behalf Of Alex Murray
Sent: Monday, November 13, 2023 9:16 PM
To: chuegen at pentics.com; ubuntu-devel-discuss at lists.ubuntu.com
Subject: Re: Updates to cacti for CVE-2023-39361 (CVSS 9.8)?

Hi chuegen,

As cacti is in the universe component of the repository, it is community maintained and therefore there is no timeframe as to when such a package will be patched in Ubuntu nor any clear indication if a community member is working on this at this time.

You can see the status of this CVE in the Ubuntu CVE Tracker at
https://ubuntu.com/security/CVE-2023-39361

Thanks,
Alex

On Tue, 2023-09-12 at 11:36:47 -0500, chuegen at pentics.com wrote:

> Hi there,
>
> The Cacti project provided an announcement of a CVSS 9.8 SQL injection 
> bug against Cacti (fixed in 1.2.25).  Is this being worked, and how 
> long should I expect before a package becomes available in the Ubuntu 
> 22.04 security stream?  For now, I have disabled the functionality in 
> question while I await a package update (and I'd like to avoid having 
> to go with a local version of the updated package if it will be relatively soon).
>
> -c
> --
> Ubuntu-devel-discuss mailing list
> Ubuntu-devel-discuss at lists.ubuntu.com
> Modify settings or unsubscribe at: 
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

--
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss at lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

More information about the Ubuntu-devel-discuss mailing list