Fedora has issued an advisory on July 14: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7MRJCGVNDLW7RCTYSL72XGP74PCMOIH2/ Mageia 6 is also affected. Mageia 5 is not affected. The issue is fixed upstream in this commit: https://github.com/Cacti/cacti/commit/3381cba6a9e36b01ed0ab0acfd41b00487966cb5
Whiteboard: (none) => MGA6TOO
Also fixed in 1.1.13: https://www.cacti.net/release_notes.php?version=1.1.13
1.1.14 fixes an XSS issue as well: https://www.cacti.net/release_notes.php?version=1.1.14 It has been assigned CVE-2017-11691: http://openwall.com/lists/oss-security/2017/07/27/1 The upstream commit to fix that issue is linked in the message above.
Summary: cacti new security issue CVE-2017-10970 => cacti new security issues CVE-2017-10970 and CVE-2017-11691
1.1.16 has been released on July 29: https://www.cacti.net/release_notes.php?version=1.1.16 Apparently it fixes CVE-2017-12065 and CVE-2017-12066. Fedora has issued an advisory for this on August 7: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QN75M6HGIKEEX7HYFWHIO6IYDB5RXFP6/
Summary: cacti new security issues CVE-2017-10970 and CVE-2017-11691 => cacti new security issues CVE-2017-10970, CVE-2017-11691, and CVE-2017-1206[56]Severity: normal => critical
Apparently 1.1.13 also fixed CVE-2017-11163. openSUSE has issued an advisory for this today (August 8): https://lists.opensuse.org/opensuse-updates/2017-08/msg00018.html
Summary: cacti new security issues CVE-2017-10970, CVE-2017-11691, and CVE-2017-1206[56] => cacti new security issues CVE-2017-10970, CVE-2017-11163, CVE-2017-11691, and CVE-2017-1206[56]
fixed on cauldron
Version: Cauldron => 6CC: (none) => mageiaWhiteboard: MGA6TOO => (none)
Pushed in updates_testing for mageia6 src.rpm: cacti-1.1.16-1.mga6
Assignee: luis.daniel.lucio => qa-bugs
Procedure in bug 13930. Mageia 5 also needs to be updated. That can be handled in Bug 20211. Advisory: ======================== Updated cacti package fixes security vulnerabilities: Cross-site scripting (XSS) vulnerability in link.php in Cacti 1.1.12 allows remote anonymous users to inject arbitrary web script or HTML via the id parameter, related to the die_html_input_error function in lib/html_validate.php (CVE-2017-10970). Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti 1.1.12 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable (CVE-2017-11163). A Cross-site scripting vulnerability exists in cacti before 1.1.14 in the user profile managment page (auth_profile.php), allowing inject arbitrary web script or HTML via specially crafted HTTP Referer headers (CVE-2017-11691). spikekill.php in Cacti before 1.1.16 might allow remote attackers to execute arbitrary code via the avgnan, outlier-start, or outlier-end parameter (CVE-2017-12065). Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti before 1.1.16 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable (CVE-2017-12066). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10970 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11163 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11691 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12065 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12066 https://www.cacti.net/changelog.php https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7MRJCGVNDLW7RCTYSL72XGP74PCMOIH2/ http://openwall.com/lists/oss-security/2017/07/27/1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QN75M6HGIKEEX7HYFWHIO6IYDB5RXFP6/ https://lists.opensuse.org/opensuse-updates/2017-08/msg00018.html ======================== Updated packages in core/updates_testing: ======================== cacti-1.1.16-1.mga6 from cacti-1.1.16-1.mga6.src.rpm
Whiteboard: (none) => has_procedureBlocks: (none) => 20211
pushed in mga5 too
Whiteboard: has_procedure => has_procedure advisory
Testing complete mga6 64 & validating Bit of a pain to test. It requires tzdata installing in mysql and 'privileges granting to it for cacti. See.. https://github.com/Cacti/cacti/issues/361 Also password restrictions exist on the mysql user for cacti and cacti admin user after install, forcing complex passwords. Cacti reports one requirement at a time making you jump through hoops but it basically needs to be 8 characters with a mix of caps/non caps and one special character. Appears to work ok, was able to produce empty graphs so didn't leave it running.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: has_procedure advisory => has_procedure advisory mga6-64-ok
Also requires more or less.. chown -R apache:apache /usr/share/cacti ..during installation
Oh, and a number in the password.
(In reply to claire robinson from comment #10) > Also requires more or less.. > chown -R apache:apache /usr/share/cacti > > ..during installation Sounds like something that should be fixed in the package. Something like: -%{_datadir}/%{name} +%attr(-,apache,apache) %{_datadir}/%{name}
Yeah, i'll create a bug for it. This was from the release version, presumably similar in this update though. /usr/share/cacti/* may be too much so will need to be checked more thoroughly by someone who knows it.
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0267.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED