OpenSuSE has issued an advisory today (June 24): http://lists.opensuse.org/opensuse-updates/2015-06/msg00052.html They updated to 0.8.8d which fixes this issue and some others. Mageia 4 and Mageia 5 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
Updated packages uploaded for Mageia 4 and Cauldron. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=13626#c4 https://bugs.mageia.org/show_bug.cgi?id=13930#c4 Advisory: ======================== Updated cacti package fixes security vulnerabilities: SQL injection vulnerability in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via unspecified vectors involving a cdef id (CVE-2015-4342). The cacti package has been updated to version 0.8.8d, which fixes this issue, as well as other SQL injection and XSS issues and other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4342 http://lists.opensuse.org/opensuse-updates/2015-06/msg00052.html ======================== Updated packages in core/updates_testing: ======================== cacti-0.8.8d-1.mga4 cacti-0.8.8d-1.mga5 from SRPMS: cacti-0.8.8d-1.mga4.src.rpm cacti-0.8.8d-1.mga5.src.rpm
URL: (none) => http://lwn.net/Vulnerabilities/649230/CC: (none) => oeVersion: Cauldron => 5Assignee: oe => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => MGA4TOO
Whiteboard: MGA4TOO => MGA4TOO has_procedure
Debian has issued an advisory for this on June 24: https://www.debian.org/security/2015/dsa-3295 It turns out the other security issues do have CVEs. LWN reference: http://lwn.net/Vulnerabilities/649380/ Advisory: ======================== Updated cacti package fixes security vulnerabilities: Cross-site scripting (XSS) vulnerability in Cacti before 0.8.8d allows remote attackers to inject arbitrary web script or HTML via unspecified vectors (CVE-2015-2665). SQL injection vulnerability in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via unspecified vectors involving a cdef id (CVE-2015-4342). SQL injection vulnerability in the get_hash_graph_template function in lib/functions.php in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via the graph_template_id parameter to graph_templates.php (CVE-2015-4454). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2665 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4342 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4454 https://www.debian.org/security/2015/dsa-3295
Advisory committed to svn.
CC: (none) => davidwhodginsWhiteboard: MGA4TOO has_procedure => MGA4TOO has_procedure advisory
MGA4-32 on AcerD620 Xfce No installation issues. Followed test case instructions as per bug13930 with success.
CC: (none) => herman.viaeneWhiteboard: MGA4TOO has_procedure advisory => MGA4TOO has_procedure advisory MGA4-32-OK
MGA5-64 on HP Probook 6555b KDE No installation issues. Followed test case instructions as per bug13930 with success.
Whiteboard: MGA4TOO has_procedure advisory MGA4-32-OK => MGA4TOO has_procedure advisory MGA4-32-OK MGA5-64-OK
Upstream has released version 0.8.8e: http://www.cacti.net/release_notes_0_8_8e.php It fixes CVE-2015-4634 and other SQL injection and XSS issues. I need to update this again.
Summary: cacti new security issue CVE-2015-4342 => cacti new security issues CVE-2015-4342 and CVE-2015-4634Whiteboard: MGA4TOO has_procedure advisory MGA4-32-OK MGA5-64-OK => MGA4TOO has_procedure advisory feedback
Updated packages uploaded for Mageia 4, Mageia 5, and Cauldron. Please update the advisory in SVN. Advisory: ======================== Updated cacti package fixes security vulnerabilities: Cross-site scripting (XSS) vulnerability in Cacti before 0.8.8d allows remote attackers to inject arbitrary web script or HTML via unspecified vectors (CVE-2015-2665). SQL injection vulnerability in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via unspecified vectors involving a cdef id (CVE-2015-4342). SQL injection vulnerability in the get_hash_graph_template function in lib/functions.php in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via the graph_template_id parameter to graph_templates.php (CVE-2015-4454). SQL injection vulnerability in Cacti before 0.8.8e in graphs.php (CVE-2015-4634). The cacti package has been updated to version 0.8.8e, which fixes this issue, as well as other SQL injection and XSS issues and other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2665 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4342 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4454 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4634 https://www.debian.org/security/2015/dsa-3295 http://www.cacti.net/release_notes_0_8_8e.php ======================== Updated packages in core/updates_testing: ======================== cacti-0.8.8e-1.mga4 cacti-0.8.8e-1.mga5 from SRPMS: cacti-0.8.8e-1.mga4.src.rpm cacti-0.8.8e-1.mga5.src.rpm
Whiteboard: MGA4TOO has_procedure advisory feedback => MGA4TOO has_procedure
CVE request for additional SQL injection fixes in 0.8.8e: http://openwall.com/lists/oss-security/2015/07/18/4
MGA4-32 on Acer D620 Xfce No installation issues for 0.8.8e. Run cacti with existing mysql settingq from previous version: cacti asked permission to run upgrade, no problem encountered. Then cacti was running as before.
Whiteboard: MGA4TOO has_procedure => MGA4TOO has_procedure advisory MGA4-32-OK
MGA5-64 on HP Probook 6555b KDE. Same as above Comment 9
Testing MGA4 x64 Installed Cacti cacti-0.8.8b-3.2.mga4 from release repositories, but found all the instructions/procedures referred to directly & indirectly above more confusing than helpful. In http://www.cacti.net/downloads/docs/html/unix_configure_cacti.html steps 6/7 in particular do not seem necessary, and I could not find any of the configuration elements cited. In https://bugs.mageia.org/show_bug.cgi?id=13930#c4 the /etc/my.cnf note did not seem necessary. FWIW here is a summary: - Install Cacti (and its dependancies). This pre-defines in /etc/cacti.conf (if you want different values): -- Cacti database name 'cacti'; -- Cacti database user name 'cactiuser'; -- Cacti database user password 'cactiuser'. It is OK to leave these as they are. - For MariaDB/MySQL, either from its command line or phpMyAdmin -- Create a database user 'cactiuser' [or whatever]; -- Assign its password 'cactiuser' [or whatever]; -- Create a database 'cacti'; - Import the Cacti database: # mysql -p cacti < /usr/share/cacti/sql/cacti.sql Make sure the cactiuser user has all rights; if you have database connection problems, try: mysql> GRANT ALL ON cacti.* TO cactiuser@localhost IDENTIFIED BY 'cactiuser'; mysql> flush privileges; - Go to http://localhost/cacti and click through the initial configuration confirmation. There is a pre-defined Cacti user 'admin' with the same password initially, which you are forced to change at your first login. Do that, note it! This URL is the entry to Cacti. You do not seem to have to do anything for Cacti to work, other than leaving it running long enough to have graphs to view (View your new graphs). It produces a few basic graphs without having to add anything. You can play with it sooner by logging in, defining data sources etc as invited on the basic Console screen. BTAIM System Utilities/View Cacti Log File showed disconcerting cron-related errors, which did not seem to matter however. From Updates Testing, updated Cacti to: cacti-0.8.8e-1.mga4 refusing the rpmnew config file. It recognised that it had been updated, and http://localhost/cacti showed a configuration confirmation screen before the login one. The log seems to re-start from scratch, but previously added data sources were present and (given enough time) graphed. No regression noted, so this update seems OK.
CC: (none) => lewyssmithWhiteboard: MGA4TOO has_procedure advisory MGA4-32-OK MGA5-64-OK => MGA4TOO has_procedure advisory MGA4-32-OK MGA5-64-OK MGA4-64-OK
Unfortunately, 0.8.8f was released on July 19, fixing some regressions: http://www.cacti.net/release_notes_0_8_8f.php Updated packages uploaded for Mageia 4, Mageia 5, and Cauldron. Please update the advisory in SVN. CVE requests are still pending. Advisory: ======================== Updated cacti package fixes security vulnerabilities: Cross-site scripting (XSS) vulnerability in Cacti before 0.8.8d allows remote attackers to inject arbitrary web script or HTML via unspecified vectors (CVE-2015-2665). SQL injection vulnerability in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via unspecified vectors involving a cdef id (CVE-2015-4342). SQL injection vulnerability in the get_hash_graph_template function in lib/functions.php in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via the graph_template_id parameter to graph_templates.php (CVE-2015-4454). SQL injection vulnerability in Cacti before 0.8.8e in graphs.php (CVE-2015-4634). The cacti package has been updated to version 0.8.8e, which fixes this issue, as well as other SQL injection and XSS issues and other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2665 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4342 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4454 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4634 https://www.debian.org/security/2015/dsa-3295 http://www.cacti.net/release_notes_0_8_8d.php http://www.cacti.net/release_notes_0_8_8e.php http://www.cacti.net/release_notes_0_8_8f.php ======================== Updated packages in core/updates_testing: ======================== cacti-0.8.8f-1.mga4 cacti-0.8.8f-1.mga5 from SRPMS: cacti-0.8.8f-1.mga4.src.rpm cacti-0.8.8f-1.mga5.src.rpm
Whiteboard: MGA4TOO has_procedure advisory MGA4-32-OK MGA5-64-OK MGA4-64-OK => MGA4TOO has_procedure
Testing MGA4 x64 [again] Updated to: cacti-0.8.8f-1.mga4 and visited http://localhost/cacti Once again there was a series of update screens. This time I looked at the Cacti 'update' page, which is full of detailed instructions. Ignored previously, and this time. Is it necessary to do all that? The Log re-starts from scratch. After a suitable interval, graphs are available - including previous sessions. So OK'ing this update. And hoping version 'g' does not arrive forthwith.
Whiteboard: MGA4TOO has_procedure => MGA4TOO has_procedure MGA4-64-OK
LWN reference for CVE-2015-4634 and other issues fixed in 0.8.8e: http://lwn.net/Vulnerabilities/651868/
MGA4-32 on Acer D620 Xfce All seems OK with version f as well.
Whiteboard: MGA4TOO has_procedure MGA4-64-OK => MGA4TOO has_procedure MGA4-64-OK MGA4-32-OK
Whiteboard: MGA4TOO has_procedure MGA4-64-OK MGA4-32-OK => MGA4TOO has_procedure MGA4-64-OK MGA4-32-OK advisory
Advisory updated
Testing MGA5 x64, OK. By mistake I installed directly cacti-0.8.8f-1.mga5 (and its many dependancies); however this seems legitimate - sometimes - because anyone installing Cacti after this update would do likewise. Followed all the instructions in Comment 11 for installation & configuration. I could not get any graphs subsequently even leaving it running a long time, and logging out/in; but they appeared eventually on re-booting and leaving the system running. BTW I note for the first time that seem to be based on UTC rather than local time.
Whiteboard: MGA4TOO has_procedure MGA4-64-OK MGA4-32-OK advisory => MGA4TOO has_procedure MGA4-64-OK MGA4-32-OK advisory MGA5-64-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0306.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
This also fixed CVE-2015-2967: http://lwn.net/Vulnerabilities/658450/