A CVE has been assigned for a security issue reported upstream for Cacti: http://openwall.com/lists/oss-security/2016/03/15/11 The previous message in the thread contains a suggested fix: http://openwall.com/lists/oss-security/2016/03/15/8
Whiteboard: (none) => MGA5TOO
CC: (none) => marja11Assignee: bugsquad => luis.daniel.lucio
Done! both cauldron and mga5
CC: (none) => geiger.david68210
Procedure in bug 13930 Advisory: ======================== Updated cacti package fixes security vulnerability: SQL injection vulnerability in cacti in cacti/tree.php (CVE-2016-3172). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3172 http://openwall.com/lists/oss-security/2016/03/15/11 ======================== Updated packages in core/updates_testing: ======================== cacti-0.8.8f-1.4.mga5 from cacti-0.8.8f-1.4.mga5.src.rpm
Version: Cauldron => 5Assignee: luis.daniel.lucio => qa-bugsWhiteboard: MGA5TOO => has_procedure
Trying this on x86_64 before updating but need help already. cacti had already been installed for a previous test. Invented another dummy user and password. $ mysql -p --user=root mysql Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 23574 Server version....... MariaDB [mysql]> grant all on cacti.* to cactus@localhost identified by 'muttermutter'; Query OK, 0 rows affected (0.00 sec) MariaDB [mysql]> flush privileges; Query OK, 0 rows affected (0.00 sec) MariaDB [mysql]> quit; crontab already had the modification needed; real user given. */5 * * * * lcl php /usr/share/cacti/poller.php > /dev/null 2>&1 The /etc/cacti.conf reflects the new parameters OK. Set the browser to http://localhost/cacti/ to bring up the User Login prompt. The cactus/password combination was rejected. ???
CC: (none) => tarazed25
The new user is definitely in the database: $ mysql -p -ucactus Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 26560 ......................... MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | cacti | | information_schema | +--------------------+ 2 rows in set (0.00 sec)
Just noticed this in the tutorial: Log in the with a username/password of admin. You will be required to change this password immediately. admin/admin was rejected Since I had worked on a previous bug for cacti this stage must have been passed. And I have no way of recovering the actual admin password. Looks like cacti needs to be dropped and the whole process started from scratch. This has taken hours so far.
MGA-32 on AcerD620 Xfce No installation issues. Followed procedure as per bug 13930 and executed them successfully.
CC: (none) => herman.viaeneWhiteboard: has_procedure => has_procedure MGA5-32-OK
Testing M5 x64 real h/w OK With an ongoing Cacti setup, updated it to: cacti-0.8.8f-1.4.mga5 http://localhost/cacti then appeared & behaved normally, both for graphs & users.
CC: (none) => lewyssmithWhiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OK
Update validated. Advisory uploaded as per Comment 2.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisoryCC: (none) => sysadmin-bugs
Another security issue was fixed in 0.8.8h. Upstream patch added and Mageia 5 package rebuilt. (Cauldron has 0.8.8h). LWN reference for CVE-2016-3659: http://lwn.net/Vulnerabilities/687042/ Advisory: ======================== Updated cacti package fixes security vulnerability: SQL injection vulnerability in tree.php in Cacti 0.8.8g and earlier allows remote authenticated users to execute arbitrary SQL commands via the parent_id parameter in an item_edit action (CVE-2016-3172). SQL injection vulnerability in graph_view.php in Cacti 0.8.8.g and earlier allows remote authenticated users to execute arbitrary SQL commands via the host_group_data parameter (CVE-2016-3659). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3172 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3659 http://openwall.com/lists/oss-security/2016/03/15/11 ======================== Updated packages in core/updates_testing: ======================== cacti-0.8.8f-1.5.mga5 from cacti-0.8.8f-1.5.mga5.src.rpm
Keywords: validated_update => (none)CC: sysadmin-bugs => (none)Summary: cacti new security issue CVE-2016-3172 => cacti new security issues CVE-2016-3172 and CVE-2016-3659Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK advisory => has_procedure
Testing x64 real h/w: cacti-0.8.8f-1.5.mga5 Upgraded, added several graphs for a second user. One of which (a disc partition) did not show at all, despite being listed; another just skeletally: CPU usage Re-logged as admin user, confirm that the CPU usage graph only shows skeletally, not correctly. The disc usage graph missing from the other user is correct her. I cannot say whether this is a reversion; could have overlooked it before. But unlikely - it stands out. Only learning how to drive this thing. If somebody else could confirm this ...
MGA-32 on AcerD620 Xfce No installation issues. I installed the new version over the existing 0.8.8f-1.4. I get into all sorts of problems with the existing cacti database in mysql, up to the point I cannot connect anymore "FATAL: Cannot connect to MySQL server on 'localhost'. Please make sure you have specified a valid MySQL database name in '/etc/cacti.conf' " Surely the mysql runs and I can connect to the mediawiki (from a previous update test), and the database name I see in /etc/cacti.conf is the same I see in phpmyadmin.
Deleted the existing cacti database with phpmyadmin and started the database creation all over: All works OK, could create a graph for memory usage, processes and logged in users. So it seems to work, but upgrading from a previous version????
Whiteboard: has_procedure => has_procedure MGA5-32-OK
Not sure if this is important for the issue with the upgrading, but I noticed that after the upgrading the date on the /etc/cacti.conf file was still the same as before (3 may as from the previous update test), and apparently its content was not changed either AFAICS. I've seen upgrades of packages which give a warning about overwriting or updating .conf files and saving the old one, but I did not notice anything like that. Could this have resulted in an inconsistent configuration of cacti????
OpenSuSE has issued an advisory for this today (May 18): https://lists.opensuse.org/opensuse-updates/2016-05/msg00074.html Advisory: ======================== Updated cacti package fixes security vulnerability: SQL injection vulnerability in tree.php in Cacti 0.8.8g and earlier allows remote authenticated users to execute arbitrary SQL commands via the parent_id parameter in an item_edit action (CVE-2016-3172). SQL injection vulnerability in graph_view.php in Cacti 0.8.8.g and earlier allows remote authenticated users to execute arbitrary SQL commands via the host_group_data parameter (CVE-2016-3659). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3172 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3659 https://lists.opensuse.org/opensuse-updates/2016-05/msg00074.html
The issues are likely left over configuration files from the previous installation Herman. Config files are not overwritten if they have been altered from the packaged version. They're usually not removed either when uninstalling. See in the spec here, %config(noreplace) in the %files section at the end https://svnweb.mageia.org/packages/updates/5/cacti/current/SPECS/cacti.spec?view=markup Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory updated.
Whiteboard: has_procedure MGA5-32-OK => has_procedure advisory MGA5-32-OK
URL: (none) => http://lwn.net/Vulnerabilities/687864/
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0178.html
Status: NEW => RESOLVEDResolution: (none) => FIXED