openSUSE-SU-2020:1106-1
See a problem?- Import Source
- https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2020:1106-1.json
- JSON Data
- https://api.osv.dev/v1/vulns/openSUSE-SU-2020:1106-1
- Related
- Published
- 2020-07-27T21:28:47Z
- Modified
- 2020-07-27T21:28:47Z
- Summary
- Security update for cacti, cacti-spine
- Details
-
This update for cacti, cacti-spine fixes the following issues:
cacti 1.2.13:
- Query XSS vulnerabilities require vendor package update (CVE-2020-11022 / CVE-2020-11023)
- Lack of escaping on some pages can lead to XSS exposure
- Update PHPMailer to 6.1.6 (CVE-2020-13625)
- SQL Injection vulnerability due to input validation failure when editing colors (CVE-2020-14295, boo#1173090)
- Lack of escaping on template import can lead to XSS exposure
switch from cron to systemd timers (boo#1115436):
- cacti-cron.timer
- cacti-cron.service
- avoid potential root escalation on systems with fs.protected_hardlinks=0 (boo#1154087): handle directory permissions in file section instead of using chown during post installation
- rewrote apache configuration to get rid of .htaccess files and explicitely disable directory permissions per default (only allow a limited, well-known set of directories)
This update was imported from the openSUSE:Leap:15.1:Update update project.
- References
-
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4IXKYESUUIOBHBKL32YKWOWHSJKS7RN3/
- https://bugzilla.suse.com/1115436
- https://bugzilla.suse.com/1154087
- https://bugzilla.suse.com/1173090
- https://www.suse.com/security/cve/CVE-2020-11022
- https://www.suse.com/security/cve/CVE-2020-11023
- https://www.suse.com/security/cve/CVE-2020-13625
- https://www.suse.com/security/cve/CVE-2020-14295
Affected packages
SUSE:Package Hub 15 SP1 / cacti
Package
- Name
- cacti
- Purl
- purl:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP1