[Bug 201702] net-mgmt/cacti: Multiple XSS and SQL injection vulnerabilities (CVE-2015-4634)

Wed Jul 22 00:19:22 UTC 2015

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=201702

Jason Unovitch <jason.unovitch at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #159053|0                           |1
        is obsolete|                            |
 Attachment #159053|maintainer-approval?(freebs |
              Flags|d-ports at dan.me.uk)          |
 Attachment #159054|                            |maintainer-approval?(freebs
              Flags|                            |d-ports at dan.me.uk)

--- Comment #14 from Jason Unovitch <jason.unovitch at gmail.com> ---
Created attachment 159054
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=159054&action=edit
cacti-0.8.8f_1.patch

Disregard initial patch. The comment in the forum thread about fetching the
file and not finding the bad code made me look a little closer. The SHA256
doesn't match ports anymore but the fact that I had the distfile and the fact
that one of the fallback mirrors had the bad distfile hid this.

According to http://www.cacti.net/downloads/
cacti-0.8.8f.tar.gz    20-Jul-2015 09:43     2.5M

It looks like this was caught and fixed after the 19 July release and they
re-rolled the distfile.  I see
2ea92407c11bf13302558a5bc9e1f3a57bd14a1d9ded48c505ec495762f76738 as the hash. 
Patch attached fixes the issue by updating to the new 0.8.8f distfile and
bumping PORTREVISION.

-- 
You are receiving this mail because:
You are the assignee for the bug.