Hello community, here is the log from the commit of package cacti for openSUSE:Leap:15.2 checked in at 2020-03-02 13:25:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/cacti (Old) and /work/SRC/openSUSE:Leap:15.2/.cacti.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cacti" Mon Mar 2 13:25:59 2020 rev:46 rq:780760 version:1.2.9 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/cacti/cacti.changes 2020-01-15 14:49:14.985372412 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.cacti.new.26092/cacti.changes 2020-03-02 13:26:06.618726780 +0100 @@ -1,0 +2,700 @@ +Sat Feb 15 18:46:00 UTC 2020 - Andreas Stieger <[email protected]> + +- cacti 1.2.9: + * CVE-2020-7106: Lack of escaping on some pages could lead to XSS + exposure (boo#1161297) + * CVE-2020-7237: Remote Code Execution due to input validation + failure in Performance Boost Debug Log (boo#1161297) + * many bug fixes + +------------------------------------------------------------------- +Sun Feb 2 17:10:52 UTC 2020 - Andreas Stieger <[email protected]> + +- cacti 1.2.8: + * CVE-2019-17357: When viewing graphs, some input variables were + not properly checked (SQL injection possible) [boo#1158990] + * CVE-2019-17358: Unsafe deserialisation of data [boo#1158992] + * When using HTTPS, secure cookie to prevent potential weakness + * various bug fixes + +------------------------------------------------------------------- +Thu Oct 17 15:13:04 UTC 2019 - Richard Brown <[email protected]> + +- Remove obsolete Groups tag (fate#326485) + +------------------------------------------------------------------- +Mon Sep 30 05:52:15 UTC 2019 - David Liedke <[email protected]> + +-Build version 1.2.7 + -security#2964: CVE-2019-16723 Security issue allows to view all graphs + -issue#1181: When opening the Scheduler, it may appear off screen when + opened near the bottom of a window + -issue#2894: When using Remote Data Collectors, database information and + recommendations may show Incorrect values + -issue#2895: When using data sources from different RRDs, Percentile + calculation may be incorrect + -issue#2899: When displaying a form, variable substitution may not always + work as expected + -issue#2922: When running a data query, the result may come back as undefined + -issue#2925: When using consolidation functions, retrieving the first step + can cause errors + -issue#2926: When editing a graph, variable validation errors may prevent + changes from being saved + -issue#2929: Boost performance may become poor even in single server mode + -issue#2930: RRDtool can generate errors to standard output which can corrupt images + -issue#2932: When RRDTool generates an error creating an image, it is not + always reportedly properly + -issue#2936: Installer will loop when number of tables exceeds PHP's max_input_vars limit + -issue#2938: Under CentOS packages, upgrade_database.php script uses incorrect + location for DB upgrade scripts + -issue#2940: Images are not always properly sized until the page size changes + -issue#2949: Order icons may not be properly aligned + -issue#2951: Allow legends to be modified for Aggregate Graphs + -issue#2958: Drop down autocomplete lists do not always open as expected + -issue#2961: When syncing device templates, undefined function may be raised + -issue#2963: When running ss_cpoller script, avgTime incorrect returns maxTime + -issue#2966: Realtime popup windows do not always honor settings + -issue#2967: When using Spikekill, gap and range fill are not operating as expected + -issue#2970: When a user edits their profile, buttons may appear as unusable whilst + still being enabled + -issue#2973: User menu does not always display properly on mobile devices + -issue#2974: Script Server can raise unexpected warnings when 'arg_num_indexes' + set but not found in data source + -issue#2975: Datasource Debug does not properly handle European numbers in + certain circumstances + -issue#2976: Boost messages should be stored in their own log file + -issue#2977: Data updates with past timestamps can cause boost errors + -issue#2978: Moving hosts between data collectors is slow + -issue#2979: Multi Output Fields are not parsed correctly + -issue#2984: When checking SQL fields, value was not always primed + -issue#2986: Selecting 'Devices' menu pick closes 'Management' menu + -feature#2943: Allow all Data Queries of a device to be re-indexed at once + -feature#2952: If device is down or threshold breached, highlight in tree view + -feature#2985: Update phpseclib to 2.0.23 + +------------------------------------------------------------------- +Mon Sep 2 12:24:33 UTC 2019 - David Liedke <[email protected]> + +-Build version 1.2.6 + -issue#2794: Graph template not saved on graph edit + -issue#2825: "innodb_doublewrite = off" possibly dangerous recommendation + -issue#2829: PHP recommendations always see memory limit as unlimited + -issue#2830: Disabled Top/Bottom external links should not be displayed + -issue#2832: Install/Upgrade log does not show anything + -issue#2833: Undefined index can occur when data source does not have an + snmp_index + -issue#2834: Boost performance drops on very large systems + -issue#2835: When creating graphs and inneficient query is causing long + creation times + -issue#2837: Sunrise theme does not render checkboxes 100% correctly + -issue#2838: jQueryMultiselect does not match upstream due to forking + -issue#2839: Non regular expression search filters don't support international + characters + -issue#2841: Total count is wrong after searching for External Link pages + -issue#2843: DSStats reruns Daily Aggregation every minute + -issue#2844: Autocomplete settings for passwords are not properly defined + -issue#2845: Data Template can't be edited when it is in use + -issue#2846: Allow tooltips for section headers with 'question' icon + -issue#2847: Permanently convert an Aggregate to a regular graph + -issue#2848: Aggregate graphs get clipped due to incorrect date range + -issue#2856: Aggregate issues with very long RRDtool command lines + -issue#2857: When trying to find the best index to use, a 'must implement + Countable' warning appears + -issue#2860: When testing remote poller connections during install, undefined + variable warning can occur + -issue#2862: Automation does not calculate network information correctly for + single hosts + -issue#2866: Add poller ID to subject for admin notifications + -issue#2869: When creating aggregates from Graphs, JavaScript issues can occur + -issue#2872: Add support for MySQL 8 and use of grouping as name for a column + -issue#2875: Undefined variable when removing spikes in some cases + -issue#2877: When attempting to send report, undefined function 'get_tinespan' messages appear + -issue#2878: Function get_magic_quotes_gpc() is now deprecated in PHP 7.4 + -issue#2879: Switching from authPriv to authNoPriv produces error when saving + -issue#2884: Replication continues to occur when poller has been disabled by sysres-dev + -issue#2891: Script server script ss_fping.php generates error when not called + by script server + -issue#2895: Percentile calculation is incorrect on Graphs with multiple Data + Sources from different RRDs + -issue#2901: Poller overrun warning message is badly worded + -issue#2902: Mailer incorrectly reports it is sending to noone + -issue#2903: PHP recommendations can generate a warning causing JSON issues + -issue#2905: Sorting plugins by version can lead to unexpected ordering + -issue#2907: SSL column for multiple pollers can be incorrectly set causing SQL errors + -issue#2908: When URL_PATH is blank, it should assume that it is '/' + -issue#2909: Correct usage of affect vs effect in strings + -issue#2910: Can not show user menu when in portrait mode on mobile devices + -issue#2911: Graph variables are not always encoded to JSON properly resulting in warnings + -issue#2912: Navigation cache can sometimes be corrupted resulting in a non-array value + -issue#2913: When adding new graphs, the type of graph is not remembered + -issue#2917: Action icons next to graphs can sometimes become unselectable due to zoom + -issue#2919: When refreshing menu, selected items are sometimes lost and submenu + items can become hidden + +------------------------------------------------------------------- +Tue Aug 20 11:41:00 CEST 2019 - [email protected] + +- BuildRequire cron as this contains now the cron directories + +------------------------------------------------------------------- +Tue Jul 16 06:39:13 UTC 2019 - David Liedke <[email protected]> + +-Build version 1.2.5 + -issue#1978: Popup Menus can appear off screen when using Graph Thumbnails + -issue#2282: Installation wizard does not detect RRDtool version correctly + -issue#2524: When editing a tree, Drag and Drop of Devices does not always + work as expected + -issue#2573: Associated Graph Template for Data Query can sometime disappear + -issue#2656: GPRINT text_format does not replace Data Query and Host Fields + -issue#2661: Automation does not always calculate network range/subnet correctly + -issue#2663: Some legacy Data Queries can not determine their index order + causing broken graphs + -issue#2674: Large strings can sometimes cause language translation can fail + -issue#2719: Automation may sometimes create empty graphs + -issue#2721: When replacing '|input_xxxx|' strings, undefined index can occur + -issue#2722: Calls to _db_replace() are not consistent resulting in warnings + -issue#2723: When replicating to remote pollers, Undefined Variable errors may be seen + -issue#2724: When graphing HRULE items, 'Only Variables should be passed by + reference' error may be seen + -issue#2725: When viewing logs in utilities, filenames should be limited the same as clog + -issue#2726: During Automation logging, include the Rule ID that triggers + the creation of an item by xmacan + -issue#2732: When using basic authentication, automatically strip any @domain information + -issue#2734: Allow non-english labels to be used on Graph Templates + -issue#2727: When using Polling Hosts Template, warnings can be issued when + CMD.PHP is the poller + -issue#2733: When processing SNMP data, space delimited hex strings do not + always convert into MAC addresses + -issue#2735: Mouse cursor should show as default pointer if column is not sortable + -issue#2736: When using MySQL 8 or above, 'function' is considered a reserved word + unless quoted by xmacan + -issue#2741: Various errors can occur due to undefined or incorrect variable names + -issue#2742: Various errors can occur due to undefined or incorrect variable names + -issue#2743: Attempts to close a tooltip when no tooltip has been set may cause errors + -issue#2744: When changing password, undefined index error can occur if user is not logged in + -issue#2748: If PHP location setting is invalid during install/upgrade, this + should be notified on modules page + -issue#2750: When performing multiple sort, highlighting of content occurs + -issue#2751: When editing a Tree, display filter may not allow 'All' option to work + -issue#2752: When running verbose query on device, you are unable to copy text from items + -issue#2753: Unable to copy entire verbose query using clipboard command + -issue#2757: Page Navigation can be subject to XSS injection + -issue#2758: Various sensitive directories are browsable if web server directory browsing is enabled + -issue#2760: Unable to add items into a report + -issue#2762: Creating an aggregate graph can sometimes fail due to unknown RRD tools error + -issue#2766: When modifying Aggregate Templates, changes are not always cascaded to Graph + -issue#2768: Aggregate Graphs may sometimes show the wrong row count + -issue#2770: ItemType is not updated when saving Report Items + -issue#2772: Add tooltip support to html_header() and html_header_checkbox() + -issue#2775: Remote pollers may sometimes fail to replicate data back to main system + -issue#2777: Attempting to edit a non-existent report generates an error + -issue#2778: When rendering graphs, resizing can sometimes occur repeatedly + -issue#2779: On new installations, automation rules for Interface Graphs are broken + -issue#2780: Upgrade database script not actually upgrading Cacti + -issue#2782: When replicating the syslog plugin, the configuration file is ignored causing errors + -issue#2783: When limiting the number of displayed characters, international characters + may sometimes display incorrectly + -issue#2784: When removing a device with graphs but no data sources , errors are generated ++++ 503 more lines (skipped) ++++ between /work/SRC/openSUSE:Leap:15.2/cacti/cacti.changes ++++ and /work/SRC/openSUSE:Leap:15.2/.cacti.new.26092/cacti.changes Old: ---- cacti-1.1.38.tar.gz New: ---- cacti-1.2.9.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cacti.spec ++++++ --- /var/tmp/diff_new_pack.VGVIVw/_old 2020-03-02 13:26:07.046727631 +0100 +++ /var/tmp/diff_new_pack.VGVIVw/_new 2020-03-02 13:26:07.046727631 +0100 @@ -1,7 +1,7 @@ # # spec file for package cacti # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,17 +12,21 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # +%if 0%{?suse_version} <= 1210 +%define cacti_dir %{_datadir}/cacti +%else +%define cacti_dir %{apache_datadir}/cacti +%endif Name: cacti -Version: 1.1.38 +Version: 1.2.9 Release: 0 Summary: Web Front-End to Monitor System Data via RRDtool -License: GPL-2.0+ -Group: System/Monitoring -Url: http://www.cacti.net/ +License: GPL-2.0-or-later +URL: http://www.cacti.net/ Source0: http://www.cacti.net/downloads/%{name}-%{version}.tar.gz Source1: %{name}.cron Source2: %{name}-httpd.conf @@ -31,44 +35,41 @@ # PATCH-FIX-UPSTREAM cacti-config.patch Patch0: %{name}-config.patch BuildRequires: apache-rpm-macros -BuildRoot: %{_tmppath}/%{name}-%{version}-build -BuildArch: noarch -%if 0%{?suse_version} -BuildRequires: apache2-devel -%else -BuildRequires: httpd-devel -%endif Requires: httpd Requires: logrotate Requires: net-snmp +Requires: php-ctype +Requires: php-gd Requires: php-gmp +Requires: php-json Requires: php-ldap Requires: php-mbstring Requires: php-openssl Requires: php-posix -Requires: php-snmp >= 5.4 +Requires: php-snmp >= 7.0 Requires: php-zlib Requires: rrdtool +Conflicts: cacti-spine < %{version} +Conflicts: cacti-spine > %{version} +Provides: cacti-system +Obsoletes: cacti-PA +Provides: cacti-PA +BuildArch: noarch %if 0%{?suse_version} +BuildRequires: apache2-devel +%else +BuildRequires: httpd-devel +%endif +%if 0%{?suse_version} +BuildRequires: cron Requires: cron -Requires: mod_php_any >= 5.4 -Requires: php-sockets >= 5.4 +Requires: mod_php_any >= 7.0 +Requires: php-sockets >= 7.0 %endif %if 0%{?fedora_version} -Requires: php-mysqlnd >= 5.4 +Requires: php-mysqlnd >= 7.0 %else -Requires: php-mysql >= 5.4 -%endif -Provides: cacti-system -Obsoletes: cacti-PA -Provides: cacti-PA -Conflicts: cacti-spine < %{version} -Conflicts: cacti-spine > %{version} - -%if 0%{?suse_version} <= 1210 -%define cacti_dir %{_datadir}/cacti -%else -%define cacti_dir %{apache_datadir}/cacti +Requires: php-mysql >= 7.0 %endif %description @@ -82,7 +83,6 @@ %package doc Summary: Documentation for Cacti -Group: Documentation/HTML Requires: %{name} = %{version} %description doc @@ -171,8 +171,8 @@ chown -R %{apache_user}:%{apache_group} %{cacti_dir}/rra %files -f %{name}.list -%defattr(-,root,root) -%doc LICENSE README.md docs/txt +%license LICENSE +%doc README.md %attr(-,%{apache_user},%{apache_group}) %dir %{_localstatedir}/lib/%{name} %attr(-,%{apache_user},%{apache_group}) %dir %{_localstatedir}/log/%{name} %attr(-,%{apache_user},%{apache_group}) %{cacti_dir}/log @@ -195,8 +195,4 @@ %config(noreplace) %{apache_sysconfdir}/../conf.d/%{name}.conf %endif -%files doc -%defattr(-,root,root) -%doc docs/html - %changelog ++++++ cacti-1.1.38.tar.gz -> cacti-1.2.9.tar.gz ++++++ /work/SRC/openSUSE:Leap:15.2/cacti/cacti-1.1.38.tar.gz /work/SRC/openSUSE:Leap:15.2/.cacti.new.26092/cacti-1.2.9.tar.gz differ: char 5, line 1 ++++++ cacti-config.patch ++++++ --- /var/tmp/diff_new_pack.VGVIVw/_old 2020-03-02 13:26:07.082727703 +0100 +++ /var/tmp/diff_new_pack.VGVIVw/_new 2020-03-02 13:26:07.082727703 +0100 @@ -1,9 +1,8 @@ -diff -Naur cacti-1.0.2.orig/include/config.php cacti-1.0.2/include/config.php ---- cacti-1.0.2.orig/include/config.php 2017-02-12 02:23:34.000000000 +0100 -+++ cacti-1.0.2/include/config.php 2017-02-13 07:59:15.942975952 +0100 -@@ -36,13 +36,13 @@ - * the main cacti server. otherwise, these variables have no use. - * and must remain commented out. */ +--- cacti-1.2.3/include/config.php.old 2019-04-01 10:03:02.728491693 +0200 ++++ cacti-1.2.3/include/config.php 2019-04-01 10:09:33.589795006 +0200 +@@ -44,17 +44,17 @@ + * must remain commented out. + */ -#$rdatabase_type = 'mysql'; -#$rdatabase_default = 'cacti'; @@ -11,33 +10,45 @@ -#$rdatabase_username = 'cactiuser'; -#$rdatabase_password = 'cactiuser'; -#$rdatabase_port = '3306'; +-#$rdatabase_retries = 5; -#$rdatabase_ssl = false; -+//$rdatabase_type = 'mysql'; -+//$rdatabase_default = 'cacti'; -+//$rdatabase_hostname = 'localhost'; -+//$rdatabase_username = 'cactiuser'; -+//$rdatabase_password = 'cactiuser'; -+//$rdatabase_port = '3306'; -+//$rdatabase_ssl = false; - - /* the poller_id of this system. set to '1' for the main cacti - * web server. otherwise, you this value should be the poller_id -@@ -55,15 +55,15 @@ - * http://serverip/cacti/ this would be set to /cacti/. - */ +-#$rdatabase_ssl_key = ''; +-#$rdatabase_ssl_cert = ''; +-#$rdatabase_ssl_ca = ''; ++//#$rdatabase_type = 'mysql'; ++//#$rdatabase_default = 'cacti'; ++//#$rdatabase_hostname = 'localhost'; ++//#$rdatabase_username = 'cactiuser'; ++//#$rdatabase_password = 'cactiuser'; ++//#$rdatabase_port = '3306'; ++//#$rdatabase_retries = 5; ++//#$rdatabase_ssl = false; ++//#$rdatabase_ssl_key = ''; ++//#$rdatabase_ssl_cert = ''; ++//#$rdatabase_ssl_ca = ''; + + /* + * The poller_id of this system. set to `1` for the main cacti web server. +@@ -69,19 +69,19 @@ + * would be set to `/cacti/`. + */ -$url_path = '/cacti/'; +//$url_path = '/cacti/'; - /* default session name - session name must contain alpha characters */ + /* + * Default session name - session name must contain alpha characters + */ -$cacti_session_name = 'Cacti'; +//$cacti_session_name = 'Cacti'; - /* save sessions to a database for load balancing */ + /* + * Save sessions to a database for load balancing + */ -$cacti_db_session = false; +//$cacti_db_session = false; - /* optional parameters to define scripts and resource paths. these - * variables become important when using remote poller installs + /* + * Disable log rotation settings for packagers ++++++ cacti-httpd.conf.default ++++++ --- /var/tmp/diff_new_pack.VGVIVw/_old 2020-03-02 13:26:07.106727751 +0100 +++ /var/tmp/diff_new_pack.VGVIVw/_new 2020-03-02 13:26:07.106727751 +0100 @@ -41,9 +41,8 @@ </IfVersion> </IfModule> <IfModule !mod_version.c> - Order deny,allow - Deny from all - Allow from localhost + Require all denied + Require local </IfModule> # Authentication Settings @@ -85,8 +84,7 @@ </IfVersion> </IfModule> <IfModule !mod_version.c> - Order deny,allow - Deny from all + Require all denied </IfModule> </Directory> @@ -108,8 +106,7 @@ </IfVersion> </IfModule> <IfModule !mod_version.c> - Order deny,allow - Deny from all + Require all denied </IfModule> </Directory> </IfDefine>
