FFe: Sync cacti 0.8.7g-1 (universe) from Debian unstable (main)
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| cacti (Ubuntu) |
Fix Released
|
Wishlist
|
Unassigned | ||
Bug Description
Please sync cacti 0.8.7g-1 (universe) from Debian unstable (main).
Explanation of FeatureFreeze exception:
This fixes the following CVEs: CVE-2009-4032, CVE-2010-1644, CVE-2010-1645,
CVE-2010-2543, CVE-2010-2544, and CVE-2010-2545. From
http://
0.8.7g
bug: RRDTool 1.4.x not recognized during installation
bug: Implement windows-aware shell escaping
bug: Fixed multiple cross site scripting vulnerabilities reported by Tomas Hoger of the Red Hat Security Response Team
bug#0001292: Over 8TByte Partition in Windows cant get correct data from snmp
bug#0001486: Unable to login after redirection to access denied page
bug#0001516: "Show the page that user pointed their browser" does not seem to work
bug#0001561: Over zelous HTML excaping on filter strings
bug#0001575: LDAP-Authentifi
bug#0001587: Feature from bug#0001271 breaks on large values
bug#0001607: Web Basic authentication does not work with fastcgi
bug#0001620: Max OID's max value reported incorrectly in Web UI
bug#0001747: oid_suffix do not work correctly for input direction on data queries
bug#0001756: Alternate font styles do not work correctly
bug#0001763: Unable to add graph permissions on a user
bug#0001757: LDAP realm authentication outputs warning for undefined index
bug#0001765: Tech support does not work correctly with RRDTool 1.4.x
bug#0001766: Page refresh setting not being honored
bug#0001771: "index count changed" not implemented for query_unix_
bug#0001773: Character encoding problem after upgrade to 0.8.7f
bug#0001775: Tech support page does account for no memory limit set for PHP
bug#0001776: Simultaneous databases connections are not supported
0.8.7f
security: SQL injection and shell escaping issues reported by Bonsai Information Security (http://
security: Cross-site scripting issues reported by VUPEN Security (http://
security: MOPS-2010-023: Cacti Graph Viewer SQL Injection Vulnerability (http://
bug#0001125: XML parse error on template import with degree symbol
bug#0001311: Access denied for graph-only users when accessing index.php directly
bug#0001366: Exported data templates do not import special characters properly
bug#0001416: Graph Export fails with EXPORT FATAL ERROR: Export path /some/path/
bug#0001452: Missing "<" and ">" in "Collection Methods=>Data Input Methods=>"Input String" after importing template
bug#0001461: Data query export/import fails
bug#0001492: RRDTool 1.3 series fonts (fontconfig) support
bug#0001506: Reindexing fails due to global include issue in lib/snmp.php
bug#0001522: Special characters break parsing of template data
bug#0001524: Export graphs and Classical Presentation does not honor per graph export rules
bug#0001528: ICMP Ping availabilty broken in UI for Windows Servers using IIS
bug#0001535: No display of parent ID in tree nodes for CLI tree add script
bug#0001543: All graphs are exported dispite graph export rules
bug#0001549: Function array_to_sql_or creates poor sql where clauses
bug#0001557: Quotes in Text Format graph template field break graph rendering
bug#0001587: 64bit HEX Strings don't convert to Decimal on 32bit Systems
bug#0001604: HEX Counter values enclosed in quotes not recognized as HEX
bug#0001609: Script server timeout too aggressive with 10 second poller interval
bug#0001628: Inconsistent message for Change SNMP Options related to available buttons
bug#0001695: Suppress deprecated warnings in Cacti code
bug#0001725: PHP Fatal Error while trying to add a tree node via cli
bug: When creating new graphs without a data source, print error to user instead of throwing php error
bug: Browser query string does not contain arguments
bug: Function inject_
bug: Script imposed memory limits cause issues with some scripts
bug: Turn off process leveling if there are not enough poller items to substantiate it
bug: Add device should allow no-snmp type devices
bug: Firefox Autocomplete causes issues with password validation
bug: Access Denied messages don't allow re-direction to login page
bug: When clearing filter on new-graphs don't clear host or template
bug: When clearing filter, reset page to 1 for all queries
bug: Graph List selectors do not persist between pages
bug: allow empty [upper|lower]_limit even without autoscaling
bug: Availability method Ping or SNMP generates meaningless warnings
feature: Add logging to SQL Save error handling
feature: Add utility to convert database to InnoDB
feature: Return nav as the title for the page
feature: Detect and correct for RRDtool segfaults
feature: Add rra_id for hosts and graphs to be used during tree export
feature: Make the Graphs pages render like the rest of Cacti
feature: Convert base Cacti UI to use buttons and not images
feature: Make poller sane so that it can be used by other cacti processes
feature: Add snmp timeout warnings for lib/snmp.php
Changelog entries since current maverick version 0.8.7e-4:
cacti (0.8.7g-1) unstable; urgency=low
* New upstream release (Closes: #592465).
* Update context in 05_no-adodb.patch to remove fuzz.
* Remove "official" patches from previous release.
* Remove 563955_
* Remove CVE-2010-
* Import new batch of "official" upstream patches.
* Update apache configuration to work in FastCGI deployments (Closes: #593203).
- thanks to Thijs Kinkhorst <email address hidden> (Closes: #578909).
-- Sean Finney <email address hidden> Tue, 17 Aug 2010 22:22:02 +0200
While going to this release of cacti does add a few features, this release has
a lot of bug fixes in addition to the security fixes. Previous cacti releases
are not receiving all lot of security support from the community, so getting
this into maverick is imperative.
| Changed in cacti (Ubuntu): | |
| importance: | Undecided → Wishlist |
| security vulnerability: | no → yes |
| Scott Kitterman (kitterman) wrote | #1 |
| Jamie Strandboge (jdstrand) wrote | #2 |
| Changed in cacti (Ubuntu): | |
| status: | New → Fix Released |
Ack. FFe approved.