-
cacti (1.2.2+ds1-2+deb10u4) buster; urgency=medium
* Add 0001-Fixing-Issue-4022.patch (Closes: #979998)
- CVE-2020-35701: SQL injection via data_debug.php
* Add 0001-Fixing-Issue-4019.patch
There are a few places in the current code where an attacker, once
having gained access to the Cacti database through a SQL injection,
could modify data in tables to possibly expose an stored XSS bug in
Cacti.
-- Paul Gevers <email address hidden> Thu, 21 Jan 2021 20:16:38 +0100
-
cacti (1.2.2+ds1-2+deb10u3) buster; urgency=medium
* Unix timestamps after Sep 13 2020 are rejected as graph start/end
arguments (Upstream bug #3245)
* CVE-2020-7237: Remote Code Execution (by privileged users) via shell
metacharacters in the Performance Boost Debug Log field of
poller_automation.php. OS commands are executed when a new poller
cycle begins. The attacker must be authenticated, and must have access
to modify the Performance Settings of the product. (Closes: #949997)
* CVE-2020-7106: XSS in data_sources.php, color_templates_item.php,
graphs.php, graph_items.php, lib/api_automation.php, user_admin.php,
and user_group_admin.php, as demonstrated by the description parameter
in data_sources.php (a raw string from the database that is displayed
by $header to trigger the XSS). (Closes: #949996)
* CVE-2020-13230: Disabling an user account does not immediately
invalidate any permissions granted to that account (e.g., permission
to view logs)
* CVE-2020-13231: auth_profile.php?action=edit allows CSRF for an admin
email change
-- Paul Gevers <email address hidden> Thu, 18 Jun 2020 22:34:41 +0200
-
cacti (1.2.2+ds1-2+deb10u2) buster-security; urgency=medium
* Non-maintainer upload by the Security Team.
* Acknowledgements to Paul Gevers!
* CVE-2019-17358: insufficient validation of form input leading to unsafe
unserialization operations and memory corruption (Closes: #947375).
* CVE-2019-17357: SQL injection vulnerability in graphs.php (Closes: #947374).
* CVE-2019-16723: Authentication bypass allows unprivileged users to view all
graphs (Closes: #941036).
-- Hugo Lefeuvre <email address hidden> Sun, 29 Dec 2019 19:53:28 +0100
-
cacti (1.2.2+ds1-2+deb10u1) buster; urgency=medium
* Depends i.s.o. Recommends on php-gmp as this is now a requirement of
the upstream code (Closes: #930252)
* Fix reading of snmp gauges (0001-Resolving-issue-2474.patch) (Closes:
#930254)
* Fix upgrade from stretch (0001-Resolving-issue-2482.patch); the
upgrade code attempted to drop a non-existing primary key (Closes:
#931702)
-- Paul Gevers <email address hidden> Tue, 16 Jul 2019 21:40:32 +0200
-
cacti (1.2.2+ds1-2) unstable; urgency=medium
* Add 0001-Resolving-Issue-2581.patch from upstream (Closes: #926700)
CVE-2019-11025: In clearFilter() in utilities.php no escaping occurs
before printing out the value of the SNMP community string (SNMP
Options) in the View poller cache, leading to XSS.
-- Paul Gevers <email address hidden> Tue, 09 Apr 2019 20:42:38 +0200
-
cacti (1.2.2+ds1-1) unstable; urgency=medium
* New upstream release 1.2.2
* tests: add one more exception for Ubuntu (Closes: #922437)
* Depend on fonts-fork-awesome instead of fonts-font-awesome (Closes:
#922779)
* Fix typo in debian.php.dist (Closes: #922651)
-- Paul Gevers <email address hidden> Tue, 26 Feb 2019 21:48:07 +0100
-
cacti (1.2.1+ds1-2) unstable; urgency=medium
* tests: add some items back that are seen on Ubuntu's setup
* Migrate from libjs-chartjs to libjs-chart.js due to bug #922288
-- Paul Gevers <email address hidden> Thu, 14 Feb 2019 10:19:02 +0100
-
cacti (1.2.1+ds1-1) unstable; urgency=medium
* New upstream release 1.2.1
- spikekiller is now a class (Closes: #916814)
* Upload to unstable
* Bump dependency on libphp-phpmailer
* Bump Standards (no changes)
* Declare R³: binary-targets (Thanks lintian)
-- Paul Gevers <email address hidden> Sun, 27 Jan 2019 21:22:59 +0100
-
cacti (1.1.38+ds1-2) unstable; urgency=medium
* [tests] Adapt for MariaDB 10.3 which triggers a new message in the
log that doesn't seem to result in different output otherwise
* [tests] Add mysql-server test back but with
skip-not-installable. Debian has mariadb-server as
default-mysql-server so we definitely want to test that. Ubuntu has
mysql-server, so we also want to test that, but that isn't in
testing. (Closes: #903238)
-- Paul Gevers <email address hidden> Thu, 27 Dec 2018 20:33:59 +0100
-
cacti (1.1.38+ds1-1) unstable; urgency=medium
* New upstream release 1.1.38
* [tests] Remove mysql-server test as it isn't available in testing
-- Paul Gevers <email address hidden> Wed, 18 Apr 2018 12:03:05 +0200
-
cacti (1.1.37+ds1-1) unstable; urgency=medium
* New upstream release 1.1.37
* CVE-2018-10059: (XSS) the get_current_page function in
lib/functions.php relies on $_SERVER['PHP_SELF'] instead of
$_SERVER['SCRIPT_NAME'] to determine a page name
* CVE-2018-10060: (XSS) does not properly reject unintended characters,
related to use of the sanitize_uri function in lib/functions.php
* CVE-2018-10061: (XSS) makes certain htmlspecialchars calls without the
ENT_QUOTES flag
-- Paul Gevers <email address hidden> Thu, 12 Apr 2018 17:43:13 +0200
-
cacti (1.1.36+ds1-1) unstable; urgency=medium
* New upstream release 1.1.36
- Refresh patches
-- Paul Gevers <email address hidden> Wed, 28 Feb 2018 16:22:50 +0100
-
cacti (1.1.35+ds1-1) unstable; urgency=medium
* New upstream version 1.1.35
* [tests] Fix for nofollow directive that prevented recursive crawl
(Closes: #889893)
* [tests] Prevent cron job from running
* Add 0001-issue-1336-Fix-issue-with-config-not-being-defined-1.patch
from upstream
-- Paul Gevers <email address hidden> Tue, 13 Feb 2018 19:26:14 +0100
-
cacti (1.1.34+ds1-1) unstable; urgency=medium
* New upstream version 1.1.34
- Includes updates for php7.2 (Closes: #889181)
-- Paul Gevers <email address hidden> Tue, 06 Feb 2018 22:31:34 +0100
-
cacti (1.1.31+ds1-1) unstable; urgency=medium
* New upstream version 1.1.31
* Update autopkgtest for new output since 1.1.29
-- Paul Gevers <email address hidden> Wed, 17 Jan 2018 18:50:00 +0100
-
cacti (1.1.30+ds1-1) unstable; urgency=medium
* New upstream version 1.1.30
-- Paul Gevers <email address hidden> Fri, 05 Jan 2018 20:30:47 +0100
-
cacti (1.1.29+ds1-1) unstable; urgency=medium
* New upstream version 1.1.29
* Refresh documentation tar ball
* Drop php-mysqlnd from alternative list of dependencies, it doesn't
exist
* Use dh-linktree embed-weakdep option to prevent strong dependencies
(requires dh-linktree 0.5)
-- Paul Gevers <email address hidden> Wed, 27 Dec 2017 20:57:21 +0100
-
cacti (1.1.28+ds1-3) unstable; urgency=medium
* Rebuild against new version of libjs-jquery-colorpicker (Closes:
#884756)
-- Paul Gevers <email address hidden> Thu, 21 Dec 2017 21:16:13 +0100
-
cacti (1.1.28+ds1-2) unstable; urgency=medium
* Add remove-global-mysql-command.patch (Closes: #882356)
-- Paul Gevers <email address hidden> Fri, 24 Nov 2017 11:07:11 +0100
-
cacti (1.1.27+ds1-3) unstable; urgency=medium
* CVE-2017-16641: remote authenticated administrators can execute
arbitrary os commands via the path_rrdtool parameter in an action=save
request to settings.php (Closes: #881110)
* CVE-2017-16660: remote authenticated administrators can conduct Remote
Code Execution attacks by placing the Log Path under the web root, and
then making a remote_agent.php request containing PHP code in a
Client-ip header
* CVE-2017-16661: remote authenticated administrators can read arbitrary
files accessible by the web-server user by placing the Log Path into a
private directory, and then making a clog.php?filename= request
* CVE-2017-16785: reflected XSS via the PATH_INFO to host.php
(reintroduction of CVE-2017-15194)
* Bump standards to 4.1.1
* Set Priority to optional
-- Paul Gevers <email address hidden> Tue, 14 Nov 2017 20:14:34 +0100
-
cacti (1.1.27+ds1-2) unstable; urgency=medium
* Add upstream commit b44eb52 as 0001-Another-crack-at-issue-1039.patch
because they likely reintroduced part of CVE-2017-15194. Thanks to
autopkgtest
-- Paul Gevers <email address hidden> Fri, 27 Oct 2017 14:41:48 +0200
-
cacti (1.1.25+ds1-1) unstable; urgency=medium
* New upstream version 1.1.25
* Improve the override_dh_fixperms target as some files were
unintentionally missed and thus make cacti reproducible again
* CVE-2017-15194: XSS in global_session.php
- Add CVE-2017-15194.patch (Closes: #878304)
- Add check to autopkgtest
-- Paul Gevers <email address hidden> Fri, 13 Oct 2017 21:09:04 +0200
-
cacti (1.1.21+ds1-1) unstable; urgency=medium
* New upstream version 1.1.21
* Bump standards version to 4.1.0 (no changes)
-- Paul Gevers <email address hidden> Fri, 08 Sep 2017 14:48:59 +0200
-
cacti (1.1.18+ds1-1) unstable; urgency=medium
* New upstream version 1.1.18
- Drop patches from upstream and refresh the others
* Bump standards version to 4.0.1 (no changes)
* Stop installing csrf/LICENSE file (thanks lintian)
-- Paul Gevers <email address hidden> Sat, 19 Aug 2017 18:46:41 +0200
-
cacti (1.1.16+ds1-1) unstable; urgency=medium
* New upstream release
- Fixes CVE-2017-12065 spikekill.php might allow remote attackers to
execute arbitrary code via the avgnan, outlier-start, or outlier-end
parameter (Closes: #870353)
- Fixes CVE-2017-12066 Cross-site scripting (XSS) vulnerability in
aggregate_graphs.php (Closes: #870354)
-- Paul Gevers <email address hidden> Thu, 03 Aug 2017 09:38:54 -0400
-
cacti (1.1.15+ds1-1) unstable; urgency=medium
* New upstream release
- Fixes CVE-2017-11691 Cross-site scripting (XSS) vulnerability in
auth_profile.php (Closes: #869848)
* Lower the Depends on dbc to include ~ to ease backports
-- Paul Gevers <email address hidden> Thu, 27 Jul 2017 10:40:05 -0400
-
cacti (1.1.13+ds1-1) unstable; urgency=medium
* New upstream release
* Update documentation from upstream
-- Paul Gevers <email address hidden> Fri, 14 Jul 2017 20:37:39 +0200
-
cacti (1.1.12+ds1-1) unstable; urgency=medium
* New upstream release
* CVE-2017-10970 XSS vulnerability via link.php fixed (Closes: #867532)
* Add version to jquery-tablesorter
* Make sure that autopkgtests at least run again
-- Paul Gevers <email address hidden> Fri, 07 Jul 2017 21:07:43 +0200