CVEs were assigned for two security issues fixed upstream in cacti: http://openwall.com/lists/oss-security/2014/08/16/5 The upstream commit to fix them is linked in that message. The correct RedHat bug link is actually: https://bugzilla.redhat.com/show_bug.cgi?id=1129762 I would imagine Fedora will be fixing this soon. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
Debian has issued an advisory for this today (August 20): https://www.debian.org/security/2014/dsa-3007 This also fixes three other new CVEs.
URL: (none) => http://lwn.net/Vulnerabilities/609034/Summary: cacti new security issues CVE-2014-5261 and CVE-2014-5262 => cacti new security issues CVE-2014-502[567], CVE-2014-5261, and CVE-2014-5262
Here's the RedHat bug links for these issues: https://bugzilla.redhat.com/show_bug.cgi?id=1121466 https://bugzilla.redhat.com/show_bug.cgi?id=1129762 Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated cacti package fixes security vulnerabilities: Multiple security issues (cross-site scripting, missing input sanitising and SQL injection) have been discovered in Cacti, a web interface for graphing of monitoring systems (CVE-2014-5025, CVE-2014-5026, CVE-2014-5261, CVE-2014-5262). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5025 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5026 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5261 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5262 https://www.debian.org/security/2014/dsa-3007 ======================== Updated packages in core/updates_testing: ======================== cacti-0.8.8b-3.2.mga4 from cacti-0.8.8b-3.2.mga4.src.rpm
Version: Cauldron => 4Assignee: oe => qa-bugsWhiteboard: MGA4TOO => (none)
Procedure: https://bugs.mageia.org/show_bug.cgi?id=13626#c4
Whiteboard: (none) => has_procedure
Testing complete mga4 64 Largely following the procedure. Cacti doesn't seem to allow a socket connection to mysql so edited /etc/my.cnf and commented 'skip-networking' by adding a # in front and then restarted mysqld service. Used phpmyadmin to create mysql user/password & database cacti. Imported the database. # mysql -p cacti < /usr/share/cacti/sql/cacti.sql Edited /usr/share/cacti/include/config.php to add the database details. Defaults to database cacti, user cactiuser, password cactiuser. Opened http://localhost/cacti in a browser and clicked through the installation steps. then logged in as admin/admin and changed the default password as it forces you to do. Clicked the Graphs tab abd set the Custom drop down to Last half hour to view the graphs. It took a few mins (possibly 5) before they showed data when refreshed.
Whiteboard: has_procedure => has_procedure mga4-64-ok
Actually, the file to edit is not /usr/share/cacti/include/config.php but /etc/cacti.conf
Tried to test on Mageia4-32 following procedure in comment 3 and 4. Managed to log in cacti (http://localhost/cacti), change password and complete configuration. Never had a graph showing afterwards even after waiting several minutes. I guess I didn't manage to configure devices and/or graphs correctly
CC: (none) => olchal
it seems to poll every 5 minutes Olivie so leave it for a while and refresh the graphs. You can set the time span to 30 minutes too.
Left it for a long while (1 hour) and nothing showed. Retraced the whole procedure and still didn't manage. I don't know if it's related but in procedure shown here : http://www.cacti.net/downloads/docs/html/unix_configure_cacti.html chown -R cactiuser rra/ log/ returned that I don't have any log/ directory. I also tried to run snmpd.service after tweaking it but to no effect. Sorry that one is too hard for me.
Testing complete mga4 32 Altered the polling and cron intervals in the console tab settings page. Used 'Clear' on the graphs page and refreshed it and the graphs showed. It seems a bit temperamental, I don't think you did anything wrong Olivier.
Whiteboard: has_procedure mga4-64-ok => has_procedure mga4-32-ok mga4-64-ok
Validating. Advisory uploaded. Could sysadmin please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure mga4-32-ok mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0403.html
Status: NEW => RESOLVEDResolution: (none) => FIXED