openSUSE-SU-2023:0275-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2023:0275-1.json
JSON Data
https://api.test.osv.dev/v1/vulns/openSUSE-SU-2023:0275-1
Related
Published
2023-09-26T13:31:33Z
Modified
2023-09-26T13:31:33Z
Summary
Security update for cacti, cacti-spine
Details

This update for cacti, cacti-spine fixes the following issues:

cacti-spine 1.2.25:

  • Spine should see if script to be executed is executable
  • Enhance number recognition
  • When polling devices, sort by larger number of items first
  • Log format may be corrupted when timeout occurs
  • Compile warning appears due to GCC flag on RHEL7/RHEL8
  • Downed device detection only checks one of the two uptime OIDs
  • Compile error appears due to execinfo.h on FreeBSD
  • Bootstrap shell script contains some PHP cruft
  • Padding is not always removed from the start of non-numeric strings
  • Improve SNMP result handling for non-numeric results
  • Further improve SNMP result handling for non-numeric results
  • Remove check for the max_oids column which has been present since Cacti v1.0
  • Minimize Sorting when fetching poller records for maximum performance
  • Spine should see if script to be executed is executable

cacti-spine 1.2.24:

  • Fix segfault when ignoring older OIDs

cacti 1.2.25:

  • CVE-2023-30534: Protect against Insecure deserialization of filter data (boo#1215082)
  • CVE-2023-39360: Cross-Site Scripting vulnerability when creating new graphs (boo#1215044)
  • CVE-2023-39361: Unauthenticated SQL Injection when viewing graphs (boo#1215045)
  • CVE-2023-39357: SQL Injection when saving data with sql_save() (boo#1215040)
  • CVE-2023-39362: Authenticated command injection when using SNMP options (boo#1215047)
  • CVE-2023-39359: Authenticated SQL injection vulnerability when managing graphs (boo#1215043)
  • CVE-2023-39358: Authenticated SQL injection vulnerability when managing reports (boo#1215042)
  • CVE-2023-39365: SQL Injection when using regular expressions (boo#1215051)
  • CVE-2023-39364: redirect in change password functionality (boo#1215050)
  • CVE-2023-39366: Cross-Site Scripting vulnerability with Device Name when managing Data Sources (boo#1215052)
  • CVE-2023-39510: Cross-Site Scripting vulnerability with Device Name when administrating Reports (boo#1215053)
  • CVE-2023-39511: Cross-Site Scripting vulnerability with Device Name when editing Graphs whilst managing Reports (boo#1215081)
  • CVE-2023-39512: Cross-Site Scripting vulnerability with Device Name when managing Data Sources (boo#1215054)
  • CVE-2023-39513: Cross-Site Scripting vulnerability with Device Name when debugging data queries (boo#1215055)
  • CVE-2023-39514: Cross-Site Scripting vulnerability with Data Source Name when managing Graphs (boo#1215056)
  • CVE-2023-39515: Cross-Site Scripting vulnerability with Data Source Name when debugging Data Queries (boo#1215058)
  • CVE-2023-39516: Cross-Site Scripting vulnerability with Data Source Information when managing Data Sources (boo#1215059)
  • When rebuilding the Poller Cache from command line, allow it to be multi-threaded
  • When searching tree or list views, the URL does not update after changes
  • When creating a Data Source Template with a specific snmp port, the port is not always applied
  • When a Data Query references a file, the filename should be trimmed to remove spurious spaces
  • THold plugin may not always install or upgrade properly
  • RRD file structures are not always updated properly, if there are more Data Sources in the Data Template than the Graph Template
  • When reindexing devices, errors may sometimes be shown
  • Boost may loose data when the database server is overloaded
  • Boost can sometimes output unexpected or invalid values
  • Boost should not attempt to start if there are no items to process
  • Rebuilding the poller cache does not always work as expected
  • Host CPU items may not work poll as expected when on a remote data collector where hmib is also enabled
  • When creating new graphs, invalid offset errors may be generated
  • When importing packages, SQL errors may be generated
  • When managing plugins from command line, the --plugin option is not properly handled
  • When automating an install of Cacti, error messages can be appear
  • When performing automated install of a plugin, warnings can be thrown
  • Automation references the wrong table name causing errors
  • Data Source Info Mode produces invalid recommendations
  • Data Source Debug 'Run All' generates too many log messages
  • The description of rebuild poller cache in utilities does not display properly
  • When reindexing a device, debug information may not always display properly
  • Upon displaying a form with errors, the session error fields variable isn't cleared
  • MariaDB clusters will no longer support exclusive locks
  • RRDtool can fail to update when sources in Data Template and Graph Template data sources do not match
  • Compatibility improvements for Boost under PHP 8.x
  • When searching the tree, increase the time before querying for items
  • Device Location drop down does not always populate correctly
  • When viewing Realtime graphs, undefined variable errors may be reported
  • SNMP Uptime is not always ignored for spikekills
  • Improve detection of downed Devices
  • When reporting missing functions from Plugins, ensure messages do not occur too often
  • When starting the Cacti daemon, database errors may be reported when there is no problem
  • When reporting from RRDcheck, ensure prefix is in the correct casing
  • Improve Orphaned Data Source options and display
  • Parsing the PHP Configuration may sometimes produce errors
  • Security processes attempt to check for a user lockout even if there is no user logged in
  • When attempting to edit a tree, the search filter for Graphs remains disabled
  • When reindexing, a Data Source that could be un-orphaned may not always be unorphaned
  • When parsing a date value, there could be more than 30 chars
  • Untemplated Data Sources can fail to update due to lack of an assigned Graph
  • When processing items to check, do not include disabled hosts
  • When saving a Data Source Template, SQL errors may be reported
  • When importing a Template, errors may be recorded
  • Some display strings have invalid formatting that cannot be parsed
  • When filtering with regular expressions, the 'does not match' option does not always function as expected
  • When enabling a plugin, sometimes it can appear as if nothing happens
  • Ensure the Rows Per Page option shows limitations set by configuration
  • Plugins are unable to modify fields in the setting 'Change Device Settings'
  • When reporting emails being sent, ensure BCC addresses are also included
  • Improve compatibility of SNMP class trim handling under PHP 8.x
  • When importing legacy Data Query Templates, the Template can become unusable
  • Provide ability to raise an event when extending the settings form
  • Prevent unsupported SQL Mode flags from being set
  • The DSStats summary does not always display expected values
  • When performing a fresh install, device classification may be missing.
  • Duplication functions for Graph/Template and Data Source/Template do not return and id
  • Duplication of Device Templates should be an API call
  • Unable to convert database to latin1 instead of utf8 if desired
  • When creating Graphs, the process may become slower over time as more items exist
  • When a bulk walk size is set to automatic, this is not always set to the optimal value
  • Update copyright notice on import packages
  • When viewing Orphan Graphs, SQL errors may be reported
  • When reindexing hosts from command line, ensure only one process runs at once
  • When a Data Query has no Graphs, it may not be deletable
  • When duplicating a Graph Template, provide an option to not duplicate Data Query association
  • When duplicating a Data Template errors can appear in the Cacti log
  • When importing a Package, previewing makes unexpected changes to Cacti Templates
  • When enabling boost on a fresh install, an error may be reported
  • Improve compatibility for backtrace logging under PHP 8.x
  • Improve compatibility for Advanced Ping under PHP 8.x
  • Provide new templates for Fortigate and Aruba Cluster to be available during install
  • Provide new template for SNMP Printer to be available during install
  • When importing devices, allow a device classification to be known
  • Extend length of maximum name in settings table
  • Extend length of maximum name in user settings table
  • Data Queries do not have a Duplication function
  • Upgrade d3.js v7.8.2 and billboard.js v3.7.4
  • Upgrade ua-parser.js to version 1.0.35
  • Update Cisco Device Template to include HSRP graph template
  • New hook for device template change 'devicetemplatechange'

cacti 1.2.24

  • Fix: Unable to import Local Linux Machine template
  • Fix multiple charting and display issues
  • Compatibility changes for SNMP under PHP 8.2, and other PHP compatibility updates
  • Fix multiple issues editing settings
  • timeout fixes for Basic Auth
  • multiple data poller bug fixes
References

Affected packages

SUSE:Package Hub 12 / cacti

Package

Name
cacti
Purl
pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2012

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.25-bp155.2.3.1

Ecosystem specific

{
    "binaries": [
        {
            "cacti": "1.2.25-bp155.2.3.1",
            "cacti-spine": "1.2.25-bp155.2.3.1"
        }
    ]
}

SUSE:Package Hub 12 / cacti-spine

Package

Name
cacti-spine
Purl
pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2012

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.25-bp155.2.3.1

Ecosystem specific

{
    "binaries": [
        {
            "cacti": "1.2.25-bp155.2.3.1",
            "cacti-spine": "1.2.25-bp155.2.3.1"
        }
    ]
}

SUSE:Package Hub 15 SP4 / cacti

Package

Name
cacti
Purl
pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.25-bp155.2.3.1

Ecosystem specific

{
    "binaries": [
        {
            "cacti": "1.2.25-bp155.2.3.1",
            "cacti-spine": "1.2.25-bp155.2.3.1"
        }
    ]
}

SUSE:Package Hub 15 SP4 / cacti-spine

Package

Name
cacti-spine
Purl
pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.25-bp155.2.3.1

Ecosystem specific

{
    "binaries": [
        {
            "cacti": "1.2.25-bp155.2.3.1",
            "cacti-spine": "1.2.25-bp155.2.3.1"
        }
    ]
}

SUSE:Package Hub 15 SP5 / cacti

Package

Name
cacti
Purl
pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.25-bp155.2.3.1

Ecosystem specific

{
    "binaries": [
        {
            "cacti": "1.2.25-bp155.2.3.1",
            "cacti-spine": "1.2.25-bp155.2.3.1"
        }
    ]
}

SUSE:Package Hub 15 SP5 / cacti-spine

Package

Name
cacti-spine
Purl
pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.25-bp155.2.3.1

Ecosystem specific

{
    "binaries": [
        {
            "cacti": "1.2.25-bp155.2.3.1",
            "cacti-spine": "1.2.25-bp155.2.3.1"
        }
    ]
}

openSUSE:Leap 15.4 / cacti

Package

Name
cacti
Purl
pkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.25-bp155.2.3.1

Ecosystem specific

{
    "binaries": [
        {
            "cacti": "1.2.25-bp155.2.3.1",
            "cacti-spine": "1.2.25-bp155.2.3.1"
        }
    ]
}

openSUSE:Leap 15.4 / cacti-spine

Package

Name
cacti-spine
Purl
pkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.25-bp155.2.3.1

Ecosystem specific

{
    "binaries": [
        {
            "cacti": "1.2.25-bp155.2.3.1",
            "cacti-spine": "1.2.25-bp155.2.3.1"
        }
    ]
}

openSUSE:Leap 15.5 / cacti

Package

Name
cacti
Purl
pkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.25-bp155.2.3.1

Ecosystem specific

{
    "binaries": [
        {
            "cacti": "1.2.25-bp155.2.3.1",
            "cacti-spine": "1.2.25-bp155.2.3.1"
        }
    ]
}

openSUSE:Leap 15.5 / cacti-spine

Package

Name
cacti-spine
Purl
pkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.25-bp155.2.3.1

Ecosystem specific

{
    "binaries": [
        {
            "cacti": "1.2.25-bp155.2.3.1",
            "cacti-spine": "1.2.25-bp155.2.3.1"
        }
    ]
}