A security issue fixed upstream in cacti has been announced: http://openwall.com/lists/oss-security/2017/08/18/8 The commit that fixed the issue is linked in the message above. The fix will be included in 1.1.18. Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOOBlocks: (none) => 20211
See also a bug in the package.
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=21525
Assigning to the registered maintainer.
CC: (none) => marja11Assignee: bugsquad => luis.daniel.lucio
pushed in updates_testing src.rpm: cacti-1.1.16-1.1.mga6 cacti-1.1.16-1.1.mga5
Assignee: luis.daniel.lucio => qa-bugsCC: (none) => mageia
Procedure in bug 13930. Mageia 5 update is in Bug 20211. Advisory: ======================== Updated cacti package fixes security vulnerability: Cross-site scripting vulnerablity in cacti in spikekill.php via the method parameter (CVE-2017-12927). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12927 http://openwall.com/lists/oss-security/2017/08/18/8 ======================== Updated packages in core/updates_testing: ======================== cacti-1.1.16-1.1.mga6 from cacti-1.1.16-1.1.mga6.src.rpm
Version: Cauldron => 6Whiteboard: MGA6TOO, MGA5TOO => has_procedure
See Also: https://bugs.mageia.org/show_bug.cgi?id=21525 => (none)Blocks: (none) => 21525
Prior to testing M6 x64. https://docs.cacti.net/manual:088:1_installation.1_install_unix covers various aspects of configuring Apache, PHP, MySQL/MariaDB. https://docs.cacti.net/manual:088:1_installation.1_install_unix.5_install_and_configure_cacti has cacti config details. https://bugs.mageia.org/show_bug.cgi?id=16202#c11 has a full setup procedure, but there is an important change: new Maria DB demands a much stiffer DB user password. Without finding the exact rules, I had to go from 'cactiuser' as far as 'cactiuser-Mageia6' before it worked. Recapitulation follows: * Our config file is: /etc/cacti.conf in which the important pre-configured DB details are: $database_type = 'mysql'; $database_default = 'cacti'; $database_hostname = 'localhost'; $database_username = 'cactiuser'; $database_password = 'cactiuser'; *** Change this *** * Create the Cacti database: $ mysqladmin -u root -p create cacti * Populate it: $ mysql -p cacti < /usr/share/cacti/sql/cacti.sql This takes a looong time. * Create Cacti user with its DB password: $ mysql -u root -p mysql> GRANT ALL ON cacti.* TO cactiuser@localhost IDENTIFIED BY '<DBpassword>'; mysql> flush privileges; mysql> quit; Normally, http://localhost/cacti should launch you. This time I got "not found, 404". There is nothing Cacti in /var/www[/html]. To pursue. The MariaDB side looks all present & correct.
CC: (none) => lewyssmith
Whiteboard: has_procedure => has_procedure advisory
There typically isn't anything in /var/www/html. You'd have to look in /etc/httpd/conf.d and there should be a cacti file in there that would tell you the Alias, which gives you the last part of the URL and where on the filesystem the files it serves are located.
Continuation of comment 5, M6/64 setup: > Normally, http://localhost/cacti should launch you. > This time I got "not found, 404". Claire to the rescue! Bug 21242 comments 9-11-10 + https://github.com/Cacti/cacti/issues/361 * Make http://localhost/cacti work: # chown -R apache:apache /usr/share/cacti and on first use, it shows the installation page, not login. But before proceeding, finish the DB setup as follows: * The enhanced DB user password: "needs to be 8 characters with a mix of caps/non caps and one special character ... and a number in the password" so 'cactiuser-M6' would have sufficed. * Add timezone table to MariaDB: $ cd /usr/share/mysql $ mysql -u root -p mysql < mysql_test_data_timezone.sql $ cd * Grant access to the timezone table to Cacti (once cactiuser defined): $ mysql -u root -p mysql MariaDB [mysql]> GRANT SELECT ON mysql.time_zone_name TO cactiuser@localhost; Query OK, 0 rows affected (0.00 sec) MariaDB [mysql]> flush privileges; Query OK, 0 rows affected (0.00 sec) Now the Cacti setup: "The following PHP extensions are recommended, and should be installed before continuing your Cacti install. gmp optional NOT installed" [presumably can add it later] There were lots of things in red, but I left the original values. Chose the default "New Primary Server" installation. "Spine Binary File Location: The path to Spine binary." /usr/local/spine/bin/spine is shown wrong, & not in /etc/cacti.conf I could not find a 'spine' binary anywhere, and it is not provided: $ urpmq -l cacti | grep spine /usr/share/cacti/docs/html/unix_configure_spine.html /usr/share/cacti/docs/html/using_spine.html so left it wrong. "Cacti Log Path: The path to your Cacti log file." /usr/share/cacti/log/cacti.log was marked wrong, & not in /etc/cacti.conf. I found the log file in /var/log/cacti/cacti.log so substituted that. Neede Next/Previous for the change to be noted. However, the next page said "/usr/share/cacti/log is Not Writable", and had to leave that. Clicked on the "Template Setup" page 'Local Linux Machine', but nothing seemed to happen. Finish -> Login page. USE admin/admin' INITIALLY. It then immediately asks for a new password (for admin); type and *note* it! At last logged in. ------------------ But I cannot create anything. I seem to have lost all templates along the way. Trying to re-do the install says it is already up to date. Stalled...
MGA6-32 on Asus A6000VM MATE No installation issues. Using phpmyadmin created database cacti, user cactiuser, then at CLI # mysql -p cacti < /usr/share/cacti/sql/cacti.sql Enter password: OK Checked that /usr/share/cacti is owned by apache: OK # mysql -u root -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 184 Server version: 10.1.26-MariaDB Mageia MariaDB Server Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> GRANT ALL ON cacti.* TO cactiuser@localhost IDENTIFIED BY 'cactiuser_M6'; Query OK, 0 rows affected (0.02 sec) MariaDB [(none)]> flush privileges; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> quit Bye Made sure /etc/cacti.conf has correct password. # cd /usr/share/mysql/ # mysql -u root -p mysql < mysql_test_data_timezone.sql Enter password: OK # mysql -u root -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 186 Server version: 10.1.26-MariaDB Mageia MariaDB Server Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> GRANT SELECT ON mysql.time_zone_name TO cactiuser@localhost; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> flush privileges; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> quit Bye Just to test that the cactiuser connects OK: # mysql -u cactiuser -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 187 Server version: 10.1.26-MariaDB Mageia MariaDB Server Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> quit Then browser to http://localhost/cacti result: 404
CC: (none) => herman.viaene
Fedora has issued an advisory today (August 31): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HANMMOMPF4H7JQO4Q5SC6RJLTMMB3KEG/ It fixes an additional security issue, CVE-2017-12928. We should fix that as well here (and in the Mageia 5 update).
Summary: cacti new security issue CVE-2017-12927 => cacti new security issues CVE-2017-12927 and CVE-2017-12928Whiteboard: has_procedure advisory => has_procedure advisory feedback
Re Comment 9, are we to expect a new update?
(In reply to Lewis Smith from comment #10) > Re Comment 9, are we to expect a new update? Yes.
Whiteboard: has_procedure advisory feedback => (none)Keywords: (none) => advisory, feedback, has_procedure
(In reply to David Walser from comment #9) > Fedora has issued an advisory today (August 31): > https://lists.fedoraproject.org/archives/list/package-announce@lists. > fedoraproject.org/thread/HANMMOMPF4H7JQO4Q5SC6RJLTMMB3KEG/ > > It fixes an additional security issue, CVE-2017-12928. Oops, it's CVE-2017-12978.
Summary: cacti new security issues CVE-2017-12927 and CVE-2017-12928 => cacti new security issues CVE-2017-12927 and CVE-2017-12978
openSUSE has issued an advisory on October 19: https://lists.opensuse.org/opensuse-updates/2017-10/msg00064.html The issue is fixed in 1.1.26.
Summary: cacti new security issues CVE-2017-12927 and CVE-2017-12978 => cacti new security issues CVE-2017-12927, CVE-2017-12978, and CVE-2017-15194Assignee: qa-bugs => mageiaCC: (none) => qa-bugs
openSUSE has issued an advisory on November 23: https://lists.opensuse.org/opensuse-updates/2017-11/msg00063.html Additional security issues were fixed in 1.1.28.
Summary: cacti new security issues CVE-2017-12927, CVE-2017-12978, and CVE-2017-15194 => cacti new security issues CVE-2017-12927, CVE-2017-12978, CVE-2017-15194, CVE-2017-16641, CVE-2017-1666[01], CVE-2017-16785
Fedora has issued an advisory for this on November 28: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PC53RVBG7WGJIFIW666YKMWG2BGXCXBJ/
Status comment: (none) => 404 issue in update candidate, should be updated again
Cacti 1.1.37 has been released on March 25: https://www.cacti.net/release_notes.php?version=1.1.37 I see there's XSS issues fixed, so it should be updated to at least that version.
Whiteboard: (none) => MGA6TOOVersion: 6 => Cauldron
(In reply to David Walser from comment #16) > Cacti 1.1.37 has been released on March 25: > https://www.cacti.net/release_notes.php?version=1.1.37 > > I see there's XSS issues fixed, so it should be updated to at least that > version. openSUSE has issued an advisory for this on March 29: https://lists.opensuse.org/opensuse-updates/2018-03/msg00108.html
Dropped in Cauldron.
Whiteboard: MGA6TOO => (none)Version: Cauldron => 6
Mageia 6 is EOL.
Resolution: (none) => OLDCC: (none) => mramboStatus: NEW => RESOLVED