Date: Wed, 22 Jul 2015 00:19:21 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 201702] net-mgmt/cacti: Multiple XSS and SQL injection vulnerabilities (CVE-2015-4634) Message-ID: <bug-201702-13-iheqpy9wHx@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-201702-13@https.bugs.freebsd.org/bugzilla/> References: <bug-201702-13@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=201702 Jason Unovitch <jason.unovitch@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #159053|0 |1 is obsolete| | Attachment #159053|maintainer-approval?(freebs | Flags|d-ports@dan.me.uk) | Attachment #159054| |maintainer-approval?(freebs Flags| |d-ports@dan.me.uk) --- Comment #14 from Jason Unovitch <jason.unovitch@gmail.com> --- Created attachment 159054 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=159054&action=edit cacti-0.8.8f_1.patch Disregard initial patch. The comment in the forum thread about fetching the file and not finding the bad code made me look a little closer. The SHA256 doesn't match ports anymore but the fact that I had the distfile and the fact that one of the fallback mirrors had the bad distfile hid this. According to http://www.cacti.net/downloads/ cacti-0.8.8f.tar.gz 20-Jul-2015 09:43 2.5M It looks like this was caught and fixed after the 19 July release and they re-rolled the distfile. I see 2ea92407c11bf13302558a5bc9e1f3a57bd14a1d9ded48c505ec495762f76738 as the hash. Patch attached fixes the issue by updating to the new 0.8.8f distfile and bumping PORTREVISION. -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-201702-13-iheqpy9wHx>