*** This bug is a security vulnerability *** Public security bug reported:
Please sync cacti 0.8.7g-1 (universe) from Debian unstable (main). Explanation of FeatureFreeze exception: This fixes the following CVEs: CVE-2009-4032, CVE-2010-1644, CVE-2010-1645, CVE-2010-2543, CVE-2010-2544, and CVE-2010-2545. From http://www.cacti.net/changelog.php: 0.8.7g bug: RRDTool 1.4.x not recognized during installation bug: Implement windows-aware shell escaping bug: Fixed multiple cross site scripting vulnerabilities reported by Tomas Hoger of the Red Hat Security Response Team bug#0001292: Over 8TByte Partition in Windows cant get correct data from snmp bug#0001486: Unable to login after redirection to access denied page bug#0001516: "Show the page that user pointed their browser" does not seem to work bug#0001561: Over zelous HTML excaping on filter strings bug#0001575: LDAP-Authentifications does not work due to ldap_host being set incorrect bug#0001587: Feature from bug#0001271 breaks on large values bug#0001607: Web Basic authentication does not work with fastcgi bug#0001620: Max OID's max value reported incorrectly in Web UI bug#0001747: oid_suffix do not work correctly for input direction on data queries bug#0001756: Alternate font styles do not work correctly bug#0001763: Unable to add graph permissions on a user bug#0001757: LDAP realm authentication outputs warning for undefined index bug#0001765: Tech support does not work correctly with RRDTool 1.4.x bug#0001766: Page refresh setting not being honored bug#0001771: "index count changed" not implemented for query_unix_partitions.pl, query_host_partitions.pl, query_cpu_partitions.pl, ss_host_cpu.php and ss_host_disk.php bug#0001773: Character encoding problem after upgrade to 0.8.7f bug#0001775: Tech support page does account for no memory limit set for PHP bug#0001776: Simultaneous databases connections are not supported 0.8.7f security: SQL injection and shell escaping issues reported by Bonsai Information Security (http://www.bonsai-sec.com) security: Cross-site scripting issues reported by VUPEN Security (http://www.vupen.com) security: MOPS-2010-023: Cacti Graph Viewer SQL Injection Vulnerability (http://php-security.org) bug#0001125: XML parse error on template import with degree symbol bug#0001311: Access denied for graph-only users when accessing index.php directly bug#0001366: Exported data templates do not import special characters properly bug#0001416: Graph Export fails with EXPORT FATAL ERROR: Export path /some/path/root/export is within a system path /root. Can not continue. bug#0001452: Missing "<" and ">" in "Collection Methods=>Data Input Methods=>"Input String" after importing template bug#0001461: Data query export/import fails bug#0001492: RRDTool 1.3 series fonts (fontconfig) support bug#0001506: Reindexing fails due to global include issue in lib/snmp.php bug#0001522: Special characters break parsing of template data bug#0001524: Export graphs and Classical Presentation does not honor per graph export rules bug#0001528: ICMP Ping availabilty broken in UI for Windows Servers using IIS bug#0001535: No display of parent ID in tree nodes for CLI tree add script bug#0001543: All graphs are exported dispite graph export rules bug#0001549: Function array_to_sql_or creates poor sql where clauses bug#0001557: Quotes in Text Format graph template field break graph rendering bug#0001587: 64bit HEX Strings don't convert to Decimal on 32bit Systems bug#0001604: HEX Counter values enclosed in quotes not recognized as HEX bug#0001609: Script server timeout too aggressive with 10 second poller interval bug#0001628: Inconsistent message for Change SNMP Options related to available buttons bug#0001695: Suppress deprecated warnings in Cacti code bug#0001725: PHP Fatal Error while trying to add a tree node via cli bug: When creating new graphs without a data source, print error to user instead of throwing php error bug: Browser query string does not contain arguments bug: Function inject_form_variables does not operate if more than 1 variable needs replacing bug: Script imposed memory limits cause issues with some scripts bug: Turn off process leveling if there are not enough poller items to substantiate it bug: Add device should allow no-snmp type devices bug: Firefox Autocomplete causes issues with password validation bug: Access Denied messages don't allow re-direction to login page bug: When clearing filter on new-graphs don't clear host or template bug: When clearing filter, reset page to 1 for all queries bug: Graph List selectors do not persist between pages bug: allow empty [upper|lower]_limit even without autoscaling bug: Availability method Ping or SNMP generates meaningless warnings feature: Add logging to SQL Save error handling feature: Add utility to convert database to InnoDB feature: Return nav as the title for the page feature: Detect and correct for RRDtool segfaults feature: Add rra_id for hosts and graphs to be used during tree export feature: Make the Graphs pages render like the rest of Cacti feature: Convert base Cacti UI to use buttons and not images feature: Make poller sane so that it can be used by other cacti processes feature: Add snmp timeout warnings for lib/snmp.php Changelog entries since current maverick version 0.8.7e-4: cacti (0.8.7g-1) unstable; urgency=low * New upstream release (Closes: #592465). * Update context in 05_no-adodb.patch to remove fuzz. * Remove "official" patches from previous release. * Remove 563955_undefined_index_local_data_id.patch, incorporated upstream. * Remove CVE-2010-2092.patch, incorporated upstream. * Import new batch of "official" upstream patches. * Update apache configuration to work in FastCGI deployments (Closes: #593203). - thanks to Thijs Kinkhorst <[email protected]> (Closes: #578909). -- Sean Finney <[email protected]> Tue, 17 Aug 2010 22:22:02 +0200 While going to this release of cacti does add a few features, this release has a lot of bug fixes in addition to the security fixes. Previous cacti releases are not receiving all lot of security support from the community, so getting this into maverick is imperative. ** Affects: cacti (Ubuntu) Importance: Wishlist Status: Fix Released ** Changed in: cacti (Ubuntu) Importance: Undecided => Wishlist ** This bug has been flagged as a security vulnerability -- FFe: Sync cacti 0.8.7g-1 (universe) from Debian unstable (main) https://bugs.launchpad.net/bugs/646909 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
