packages: cacti/cacti.spec, cacti/sql_injection_template_export.patch (NEW)...
pawelz
pawelz at pld-linux.org
Fri May 7 13:38:21 CEST 2010
Author: pawelz Date: Fri May 7 11:38:21 2010 GMT
Module: packages Tag: HEAD
---- Log message:
- added sql_injection_template_export.patch. Resolves: CVE-2010-1431
- rel 11
---- Files affected:
packages/cacti:
cacti.spec (1.122 -> 1.123) , sql_injection_template_export.patch (NONE -> 1.1) (NEW)
---- Diffs:
================================================================
Index: packages/cacti/cacti.spec
diff -u packages/cacti/cacti.spec:1.122 packages/cacti/cacti.spec:1.123
--- packages/cacti/cacti.spec:1.122 Wed Apr 14 23:49:06 2010
+++ packages/cacti/cacti.spec Fri May 7 13:38:15 2010
@@ -4,7 +4,7 @@
Summary(pl.UTF-8): Cacti - frontend w PHP do rrdtoola
Name: cacti
Version: 0.8.7e
-Release: 10
+Release: 11
License: GPL
Group: Applications/WWW
Source0: http://www.cacti.net/downloads/%{name}-%{version}.tar.gz
@@ -20,6 +20,7 @@
Patch102: http://www.cacti.net/downloads/patches/0.8.7e/template_duplication.patch
Patch103: http://www.cacti.net/downloads/patches/0.8.7e/fix_icmp_on_windows_iis_servers.patch
Patch104: http://www.cacti.net/downloads/patches/0.8.7e/cross_site_fix.patch
+Patch105: http://www.cacti.net/downloads/patches/0.8.7e/sql_injection_template_export.patch
# http://cactiusers.org/wiki/PluginArchitectureInstall
# http://mirror.cactiusers.org/downloads/plugins/cacti-plugin-0.8.7e-PA-v2.6.zip
Patch0: %{name}-PA.patch
@@ -124,6 +125,7 @@
%patch102 -p1
%patch103 -p1
%patch104 -p1
+%patch105 -p1
%patch0 -p1
%patch1 -p1
%patch2 -p1
@@ -274,6 +276,10 @@
All persons listed below can be reached at <cvs_login>@pld-linux.org
$Log$
+Revision 1.123 2010/05/07 11:38:15 pawelz
+- added sql_injection_template_export.patch. Resolves: CVE-2010-1431
+- rel 11
+
Revision 1.122 2010/04/14 21:49:06 glen
- worked fine for years without gd ext; rel 10
================================================================
Index: packages/cacti/sql_injection_template_export.patch
diff -u /dev/null packages/cacti/sql_injection_template_export.patch:1.1
--- /dev/null Fri May 7 13:38:21 2010
+++ packages/cacti/sql_injection_template_export.patch Fri May 7 13:38:15 2010
@@ -0,0 +1,13 @@
+--- cacti-0.8.7e/templates_export.php 2009-06-28 12:07:11.000000000 -0400
++++ cacti-fixed/templates_export.php 2010-04-17 14:08:42.000000000 -0400
+@@ -49,6 +49,10 @@
+ function form_save() {
+ global $export_types;
+
++ /* ================= input validation ================= */
++ input_validate_input_number(get_request_var_post("export_item_id"));
++ /* ==================================================== */
++
+ if (isset($_POST["save_component_export"])) {
+ $xml_data = get_item_xml($_POST["export_type"], $_POST["export_item_id"], (((isset($_POST["include_deps"]) ? $_POST["include_deps"] : "") == "") ? false : true));
+
================================================================
---- CVS-web:
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/cacti/cacti.spec?r1=1.122&r2=1.123&f=u
More information about the pld-cvs-commit
mailing list