Cacti 1.0.0 has been released on January 29, fixing some security issues: http://www.cacti.net/release_notes_1_0_0.php Besides the two CVEs, there's also an "OS Command Injection" bug fixed at least. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Assigning to the registered maintainer
CC: (none) => marja11Assignee: bugsquad => luis.daniel.lucio
Fedora has issued an advisory for this today (March 7), upgrading to 1.0.4: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KXQSKIWLOIC43UIJWWXDT2AZYFZQW4GY/
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)CC: (none) => mageiaStatus comment: (none) => CVE-2014-4000 CVE-2016-2313
1.1.14 fixes an XSS issue as well: https://www.cacti.net/release_notes.php?version=1.1.14
Depends on: (none) => 21242
Procedure in bug 13930. Advisory for upcoming update below. Advisory: ======================== Updated cacti package fixes security vulnerabilities: PHP Object Injection Vulnerabilities (CVE-2014-4000). Accessing cacti using a user name not the cacti database fills the log with database error messages and allows complete access to everything, including the user administration pages. The bug is in auth_login.php which fails to check the query actually found any data or not (CVE-2016-2313). Cross-site scripting (XSS) vulnerability in link.php in Cacti 1.1.12 allows remote anonymous users to inject arbitrary web script or HTML via the id parameter, related to the die_html_input_error function in lib/html_validate.php (CVE-2017-10970). Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti 1.1.12 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable (CVE-2017-11163). A Cross-site scripting vulnerability exists in cacti before 1.1.14 in the user profile managment page (auth_profile.php), allowing inject arbitrary web script or HTML via specially crafted HTTP Referer headers (CVE-2017-11691). spikekill.php in Cacti before 1.1.16 might allow remote attackers to execute arbitrary code via the avgnan, outlier-start, or outlier-end parameter (CVE-2017-12065). Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti before 1.1.16 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable (CVE-2017-12066). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4000 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2313 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10970 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11163 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11691 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12065 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12066 https://github.com/Cacti/cacti/blob/develop/README.md https://www.cacti.net/changelog.php https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7MRJCGVNDLW7RCTYSL72XGP74PCMOIH2/ http://openwall.com/lists/oss-security/2017/07/27/1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QN75M6HGIKEEX7HYFWHIO6IYDB5RXFP6/ https://lists.opensuse.org/opensuse-updates/2017-08/msg00018.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KXQSKIWLOIC43UIJWWXDT2AZYFZQW4GY/ ======================== Updated packages in core/updates_testing: ======================== cacti-1.1.16-1.mga5 from cacti-1.1.16-1.mga5.src.rpm
Whiteboard: (none) => has_procedure
Advisory, procedure, and package list in Comment 4.
Assignee: luis.daniel.lucio => qa-bugs
Depends on: (none) => 21565
Package rebuilt with a fix for CVE-2017-12927. Advisory: ======================== Updated cacti package fixes security vulnerabilities: PHP Object Injection Vulnerabilities (CVE-2014-4000). Accessing cacti using a user name not the cacti database fills the log with database error messages and allows complete access to everything, including the user administration pages. The bug is in auth_login.php which fails to check the query actually found any data or not (CVE-2016-2313). Cross-site scripting (XSS) vulnerability in link.php in Cacti 1.1.12 allows remote anonymous users to inject arbitrary web script or HTML via the id parameter, related to the die_html_input_error function in lib/html_validate.php (CVE-2017-10970). Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti 1.1.12 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable (CVE-2017-11163). A Cross-site scripting vulnerability exists in cacti before 1.1.14 in the user profile managment page (auth_profile.php), allowing inject arbitrary web script or HTML via specially crafted HTTP Referer headers (CVE-2017-11691). spikekill.php in Cacti before 1.1.16 might allow remote attackers to execute arbitrary code via the avgnan, outlier-start, or outlier-end parameter (CVE-2017-12065). Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti before 1.1.16 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable (CVE-2017-12066). Cross-site scripting vulnerablity in cacti in spikekill.php via the method parameter (CVE-2017-12927). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4000 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2313 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10970 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11163 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11691 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12065 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12066 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12927 https://github.com/Cacti/cacti/blob/develop/README.md https://www.cacti.net/changelog.php https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7MRJCGVNDLW7RCTYSL72XGP74PCMOIH2/ http://openwall.com/lists/oss-security/2017/07/27/1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QN75M6HGIKEEX7HYFWHIO6IYDB5RXFP6/ https://lists.opensuse.org/opensuse-updates/2017-08/msg00018.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KXQSKIWLOIC43UIJWWXDT2AZYFZQW4GY/ http://openwall.com/lists/oss-security/2017/08/18/8 ======================== Updated packages in core/updates_testing: ======================== cacti-1.1.16-1.1.mga5 from cacti-1.1.16-1.1.mga5.src.rpm
Whiteboard: has_procedure => has_procedure advisoryCC: (none) => lewyssmith
Trying M5/64 Having Cacti already installed & basically working, I updated directly to: cacti-1.1.16-2.mga5 [Note difference from Comment 6] and used the system for some time before trying: http://localhost/cacti/ which ususally shows its login screen. Not this time. With Firefox, it just left the window blank. With Opera 12, it gave 'not found'. So I reverted to: cacti-0.8.8f-1.5.mga5 # urpmi --downgrade cacti and tried again; that worked. Updated once again to cacti-1.1.16-2.mga5, and that did *not* work - as indicated above. Setting 'feedback'.
Whiteboard: has_procedure advisory => has_procedure advisory feedback
Confirm problem with new version. Found following in /var/log/httpd/error.log: [Sun Aug 27 11:35:51.838542 2017] [:error] [pid 4483] [client 127.0.0.1:49110] PHP Parse error: syntax error, unexpected ''FATAL: Connection to Cacti da' (T_CONSTANT_ENCAPSED_STRING) in /usr/share/cacti/include/global.php on line 217
CC: (none) => herman.viaene
(In reply to Herman Viaene from comment #8) > Confirm problem with new version. Thanks Herman - and for the better information. I was going to ask on qa-discuss for a verification, as this seemed rather fundamental; no need now.
Moving 'advisory', 'has_procedure' and 'feedback' from whiteboard to keywords now that madb has been updated to handle those keywords.
Whiteboard: has_procedure advisory feedback => (none)Keywords: (none) => advisory, feedback, has_procedure
Packaged installed but there is a bug in /usr/share/cacti/include/global.php A "p" is missing at the start of the line 217. Will attach patch.
CC: (none) => mageia
Created attachment 9815 [details] patch
Does that bug affect the Mageia 6 package? We're not going to push this update for Mageia 5. Mageia 6 is in Bug 21565.
After applying the patch the script worked and it was only a matter of doing the following steps. 1 - Edit the file /etc/cacti.conf and set password. Change the PASSWORD in the command to the password set in the config file. If more than the password is changed then the following commands may have to be adjusted accordingly. 2 - Create the database and user. 2.1 - mysqladmin -uroot -p create cacti 2.2 - mysql -uroot -p -e "grant all on cacti.* to 'cactiuser'@'localhost' identified by 'PASSWORD'" 2.3 - mysql -uroot -p -e "grant select on mysql.time_zone_name to 'cactiuser'@'localhost' identified by 'PASSWORD'" 2.4 - mysql -uroot -p cacti < /usr/share/cacti/sql/cacti.sql 3 - xdg-open http://localhost/cacti/ 4 - Follow the setup wizard. 5 - If cacti complains about "MySQL TimeZone Support" error run the command at 5.1. 5.1 - mysql_tzinfo_to_sql /usr/share/zoneinfo/ | mysql -u root -p mysql 6 - Set "Cacti Log Path" to /usr/share/cacti/log/cacti.log That did it for me.
(In reply to David Walser from comment #13) > Does that bug affect the Mageia 6 package? Don't know. > We're not going to push this update for Mageia 5. Then shouldn't this bug be closed as "WONTFIX"?
Please do check the Mageia 6 package, since this update candidate was based on it. I was planning to close this bug soon, but I only thought of it this week and have been too busy.
CC: lewyssmith => (none)
Last reminder to anyone who sees this to check and make sure the issue(s) affecting this package doesn't also affect Mageia 6. Closing now.
Status: NEW => RESOLVEDResolution: (none) => OLD