Debian has issued an advisory on December 16: https://www.debian.org/security/2015/dsa-3423 Note the PoC on the upstream bug: http://bugs.cacti.net/view.php?id=2646 Patched packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated cacti package fixes security vulnerability: Several SQL injection vulnerabilities have been discovered in Cacti. Specially crafted input can be used by an attacker in the rra_id value of the graph.php script to execute arbitrary SQL commands on the database (CVE-2015-8369). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8369 https://www.debian.org/security/2015/dsa-3423 ======================== Updated packages in core/updates_testing: ======================== cacti-0.8.8f-1.1.mga5 from cacti-0.8.8f-1.1.mga5.src.rpm Reproducible: Steps to Reproduce:
Procedure in bug 13930
Whiteboard: (none) => has_procedure
mga5 x86_64 Mate Installed the patched version of cacti having already created the cacti database. Note that in the pre-update case I was unable to login as the newly created user. Imported the default cacti database using mysql and added a user with password. Checked config.php to make sure the user and password had been written correctly. Modified /etc/crontab as suggested in the installation and test procedure linked in bug #13930 then logged in as admin in a browser to change the admin password. Logged out and tried to log in as the user and failed. Had to back out and login as admin to define graphs for the Linux machine device, statistics for the hard disk partitions. Not expecting much because it looks like I messed this up somehow. Waiting anyway on a half hour update.
CC: (none) => tarazed25
Have read the instructions and tried again to create a cacti user and failed. I cannot log in as the user. This is the procedure I followed (with some elision); As root, created the symbolic link /log in /usr/share/cacti pointing to /var/log/cacti Not sure if that should be /var/log/cacti/cacti.log There is such a file. $ mysql cacti < /usr/share/cacti/sql/cacti.sql ERROR 1050 (42S01) at line 5: Table 'cdef' already exists $ mysql --user=root mysql > GRANT ALL ON cacti.* TO lcl@localhost IDENTIFIED BY 'anyoldpassword'; > flush privileges; > exit; $ cd /usr/share/cacti $ su ...... # chown -R lcl rra/ log/ # vi include/config.php ..... # cat include/config.php ...... $database_type = "mysql"; $database_default = "cacti"; $database_hostname = "localhost"; $database_username = "lcl"; $database_password = "anyoldpassword"; $database_port = "3306"; $database_ssl = false; /* Edit this to point to the default URL of your Cacti install ex: if your cacti install as at http://serverip/cacti/ this would be set to /cacti/ */ $url_path = "/cacti/"; /* Default session name - Session name must contain alpha characters */ $cacti_session_name = "Cacti"; $config["library_path"] = '/usr/share/cacti/lib'; $config["rra_path"] = '/var/lib/cacti'; $config['url_path'] = '/cacti/'; ..... # exit The ownership of /var/lib/cacti and /var/log/cacti is lcl:apache This is a bit of a puzzle. What more is needed?
Debian-LTS has issued an advisory on December 26: http://lwn.net/Alerts/669382/ It fixes one additional issue, CVE-2015-8377: http://lwn.net/Vulnerabilities/669404/ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807599 http://bugs.cacti.net/view.php?id=2646 but according to comments in the Debian bug above, the fix caused a regression.
Summary: cacti new security issue CVE-2015-8369 => cacti new security issues CVE-2015-8369 and CVE-2015-8377Whiteboard: has_procedure => has_procedure feedback
Debian-LTS issued two additional advisories with regression fixes, so I'll need to pull the patches from the latest squeeze update: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807599
And there's a new issue, CVE-2015-8604, with no patch yet: http://openwall.com/lists/oss-security/2016/01/04/9
Debian-LTS has issued an advisory today (January 14): http://lwn.net/Alerts/671883/ It fixes one additional issue, CVE-2015-8604: http://lwn.net/Vulnerabilities/671906/
Summary: cacti new security issues CVE-2015-8369 and CVE-2015-8377 => cacti new security issues CVE-2015-8369, CVE-2015-8377, and CVE-2015-8604
Patched packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated cacti package fixes security vulnerability: Several SQL injection vulnerabilities have been discovered in Cacti. Specially crafted input can be used by an attacker in the rra_id value of the graph.php script to execute arbitrary SQL commands on the database (CVE-2015-8369). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8369 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8377 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8604 https://www.debian.org/security/2015/dsa-3423 http://lwn.net/Alerts/669382/ http://lwn.net/Alerts/671883/ ======================== Updated packages in core/updates_testing: ======================== cacti-0.8.8f-1.2.mga5 from cacti-0.8.8f-1.2.mga5.src.rpm
Whiteboard: has_procedure feedback => has_procedure
Testing M5 x64 OK Updated existing installation to: cacti-0.8.8f-1.2.mga5 http://localhost/cacti just worked as previously. Nothing untoward noticed. Trying something new: add a user from the console/user admin. This in itself went fine, and that user could log in. But despite having ticked all the boxes that seemed relevant for the user to view existing graphs, nothing was available to him. The Graphs tab stopped at the word 'Tree'. This has nothing to do with the update, just my ignorance of Cacti...
CC: (none) => lewyssmithWhiteboard: has_procedure => has_procedure MGA5-64-OK
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0025.html
Status: NEW => RESOLVEDResolution: (none) => FIXED