openSUSE-SU-2022:0145-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2022:0145-1.json
JSON Data
https://api.osv.dev/v1/vulns/openSUSE-SU-2022:0145-1
Related
Published
2022-05-24T08:17:34Z
Modified
2022-05-24T08:17:34Z
Summary
Security update for cacti, cacti-spine
Details

This update for cacti, cacti-spine fixes the following issues:

cacti-spine was updated to 1.2.20:

  • Add support for newer versions of MySQL/MariaDB
  • When checking for uptime of device, don't assume a non-response is always fatal
  • Fix description and command trunctation issues
  • Improve spine performance when only one snmp agent port is in use

cacti-spine 1.2.19:

  • Fix 1ssues with polling loop may skip some datasources
  • Fix ping no longer works due to hostname changes
  • Fix RRD steps are not always calculated correctly
  • Fix unable to build when DES no longer supported
  • Fix IPv6 devices are not properly parsed
  • Reduce a number of compiler warnings
  • Fix compiler warnings due to lack of return in threadmutextrylock
  • Fix Spine will not look at non-timetics uptime when sysUpTimeInstance overflows
  • Improve performance of Cacti poller on heavily loaded systems

cacti-spine 1.2.20:

  • Add support for newer versions of MySQL/MariaDB
  • When checking for uptime of device, don't assume a non-response is always fatal
  • Fix description and command trunctation issues
  • Improve spine performance when only one snmp agent port is in use

cacti was updated to 1.2.20:

  • Security fix for CVE-2022-0730, boo#1196692 Under certain ldap conditions, Cacti authentication can be bypassed with certain credential types.
  • Security fix: Device, Graph, Graph Template, and Graph Items may be vulnerable to XSS issues
  • Security fix: Lockout policies are not properly applied to LDAP and Domain Users
  • Security fix: When using 'remember me' option, incorrect realm may be selected
  • Security fix: User and Group maintenance are vulnerable to SQL attacks
  • Security fix: Color Templates are vulnerable to XSS attack
  • Features:
    • When creating a Data Source Profile, allow additional choices for Heartbeat
    • Change select all options to use Font Awesome icons
    • Improve spine performance by storing the total number of system snmp_ports in use
    • Prevent Template User Accounts from being Removed
    • When managing by users, allow filtering by Realm
    • Allow plugins to supply template account names
    • When viewing logs, additional message types should be filterable
    • When creating a Graph Template Item, allow filtering by Data Template
    • Allow language handler to be selected via UI
    • Updated Device packages for Synology, Citrix NetScaler, Cisco ASA/Cisco
    • Add Advanced Ping Graph Template to initial Installable templates
    • Add LDAP Debug Mode option
    • Allow Reports to include devices not on a Tree
    • Allow Basic Authentication to display custom failure message
  • Fix: When replicating data during installation/upgrade, system may appear to hang
  • Fix: Graph Template Items may have duplicated entries
  • Fix: Unable to Save Graph Settings
  • Fix: Script Server may crash if an OID is missing or unavailable
  • Fix: When system-wide polling is disabled, remote pollers may fail to sync changed settings
  • Fix: When updating poller name, duplicate name protection may be over zealous
  • Fix: Titles may show 'Missing Datasource' incorectly
  • Fix: Checking for MIB Cache can cause crashes
  • Fix: Polling cycles may not always complete as expected
  • Fix: When viewing graph data, non-numeric values may appear
  • Fix: Utilities view has calculation errors when there are no data sources
  • Fix: When editing Reports, drag and drop may not function as intended
  • Fix: When data drive is full, viewing a Graph can result in errors
  • Various other bug fixes

cacti 1.2.19:

  • Further fixes for grave character security protection (boo#1192408)
  • Fix Over aggressive escaping causing menu visibility issues on Create Device page
  • Add SHA256 and AES256 security levels for SNMP polling
  • Import graph template(Preview Only) show color_id new value as a blank area
  • Fix Editing graphs errors due to missing sequence
  • Fix 2hen hovering over a Tree Graph, row shows same highlighting as Graph Edit screen
  • Fix 2hen RealTime is not active, console errors may appear
  • Fix race conditions may occur when multiple RRDtool processes are running
  • Fix errors creating graphs from templates
  • Fix errors when duplicating reports
  • Fix Boost may be blocked by overflowing poller_output table
  • Fix Template import may be blocked due to unmet dependency warnings with snmp ports
  • Fix Newer MySQL versions may error if committing a transaction when not in one
  • Fix SNMP Agent may not find a cache item
  • Fix Correct issues running under PHP 8.x
  • Fix When polling is disabled, boost may crash and creates many arch tables
  • Fix When poller runs, memory tables may not always be present
  • Fix Timezones may sometimes be incorrectly calculated
  • Fix Allow monitoring IPv6 with interface graphs
  • Fix When a data source uses a Data Input Method, those without a mapping should be flagged
  • Fix When RRDfile is not yet created, errors may appear when displaying the graph
  • Fix Cacti missing key indexes that result in Preset pages slowdowns
  • Fix Data Sources page shows no name when Data Source has no name cache
  • Fix dbupdatetable function can not alter table from signed to unsigned
  • Fix data remains in poller_output table even if it's flushed to rrd files
  • Fix Parameter list for lib/database.php:dbconnectreal() is not correct in 3 places
  • Fix Offset is a reserved word in MariaDB 10.6 affecting Report
  • Fix Rendering large trees slowed due to lack of permission caching
  • Fix Error on interpretation of snmpUtime, when to big
  • Fix Applying right axis formatting creates an error-image
  • Fix Unable to Save Graph Settings from the Graphs pages
  • Fix Graph Template Cache is nullified too often when Graph Automation is running
  • Fix When Adding a Data Query to a Device, no Progress Spinner is shown
  • Fix New Browser Breaks Plugins that depend on non UTC date time data
  • Fix errors when testing remote poller connectivity
  • Fix errors when renaming poller
  • Fix Removing spikes by Variance does not appear to be working beyond the first RRA
  • Fix LDAP API lacks timeout options leading to bad login experiences
  • Add a normal/wrap class for general use
  • Limit File Types available for Template Import operations
  • Fix Cacti does not provide an option of providing a client side certificate for LDAP/AD authentication
  • Support Stronger Encryption Available Starting in Net-SNMP v5.8
  • Allow Cacti to use multiple possible LDAP servers
  • Add a 15 minute polling/sampling interval
  • Provide additional admin email notifications
  • Add warnings for undesired changes to plugin hook return values
  • When creating a Graph, make testing the Data Sources optional by Template
  • Update phpseclib to 2.0.33
  • Update jstree.js to 3.3.12
  • Improve performance of Cacti poller on heavily loaded systems
  • MariaDB recommendations need some tuning for recent updates
References

Affected packages

SUSE:Package Hub 12 / cacti

Package

Name
cacti
Purl
pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2012

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.20-bp153.2.9.1

Ecosystem specific

{
    "binaries": [
        {
            "cacti": "1.2.20-bp153.2.9.1",
            "cacti-spine": "1.2.20-bp153.2.9.1"
        }
    ]
}

SUSE:Package Hub 12 / cacti-spine

Package

Name
cacti-spine
Purl
pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2012

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.20-bp153.2.9.1

Ecosystem specific

{
    "binaries": [
        {
            "cacti": "1.2.20-bp153.2.9.1",
            "cacti-spine": "1.2.20-bp153.2.9.1"
        }
    ]
}

SUSE:Package Hub 15 SP3 / cacti

Package

Name
cacti
Purl
pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.20-bp153.2.9.1

Ecosystem specific

{
    "binaries": [
        {
            "cacti": "1.2.20-bp153.2.9.1",
            "cacti-spine": "1.2.20-bp153.2.9.1"
        }
    ]
}

SUSE:Package Hub 15 SP3 / cacti-spine

Package

Name
cacti-spine
Purl
pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.20-bp153.2.9.1

Ecosystem specific

{
    "binaries": [
        {
            "cacti": "1.2.20-bp153.2.9.1",
            "cacti-spine": "1.2.20-bp153.2.9.1"
        }
    ]
}

openSUSE:Leap 15.3 / cacti

Package

Name
cacti
Purl
pkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.20-bp153.2.9.1

Ecosystem specific

{
    "binaries": [
        {
            "cacti": "1.2.20-bp153.2.9.1",
            "cacti-spine": "1.2.20-bp153.2.9.1"
        }
    ]
}

openSUSE:Leap 15.3 / cacti-spine

Package

Name
cacti-spine
Purl
pkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.20-bp153.2.9.1

Ecosystem specific

{
    "binaries": [
        {
            "cacti": "1.2.20-bp153.2.9.1",
            "cacti-spine": "1.2.20-bp153.2.9.1"
        }
    ]
}