-
cacti (0.8.8h+ds1-10+deb9u1) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
* CVE-2019-17358: insufficient validation of form input leading to unsafe
unserialization operations and memory corruption (Closes: #947375).
-- Hugo Lefeuvre <email address hidden> Sun, 29 Dec 2019 20:37:02 +0100
-
cacti (0.8.8h+ds1-10) unstable; urgency=medium
* Fix upgrades from before 0.8.8h+ds1-8; that version started to ship
symlinks to directories in libjs-jquery-jstree without making sure
dpkg handled that properly during upgrades (Closes: #861858)
-- Paul Gevers <email address hidden> Fri, 05 May 2017 13:55:33 +0200
-
cacti (0.8.8h+ds1-9) unstable; urgency=medium
* Add enable_faster_polling_than_cron.patch to replace the use of the
deprecated split() function (Closes: #860271)
-- Paul Gevers <email address hidden> Thu, 13 Apr 2017 22:05:30 +0200
-
cacti (0.8.8h+ds1-8) unstable; urgency=medium
* Depend on libjs-jquery-jstree instead of using embedded version
* Replace use_debian_javascript_packages.patch with links to the Debian
packages instead (more transparent)
* Add fix_export_for_debian_packages.patch to avoid export failure
-- Paul Gevers <email address hidden> Wed, 14 Dec 2016 21:20:24 +0100
-
cacti (0.8.8h+ds1-5) unstable; urgency=medium
[ Emilio Pozuelo Monfort ]
* CVE-2016-2313-guest-auth.patch:
+ Fix regression in the fix for CVE-2016-2313 that broke guest user
logins. Thanks to Matus Uhlar for the report. (Closes: #833420)
[ Paul Gevers ]
* Recommend default-mysql-server instead of MariaDB and MySQL
-- Paul Gevers <email address hidden> Mon, 05 Sep 2016 21:10:12 +0200
-
cacti (0.8.8h+ds1-4) unstable; urgency=medium
* Improve autopkgtest situation and avoid failure when it is not needed
-- Paul Gevers <email address hidden> Thu, 16 Jun 2016 22:11:20 +0200
-
cacti (0.8.8h+ds1-2) unstable; urgency=medium
* Update make_cacti_sql_mode-strict_compatible.patch to also drop
ONLY_FULL_GROUP_BY (Follow-up for LP: #1578144)
* Lower versioned dependency on libphp-adodb to be Ubuntu compatible
-- Paul Gevers <email address hidden> Thu, 02 Jun 2016 22:06:59 +0200
-
cacti (0.8.8h+ds1-1) unstable; urgency=medium
* New upstream release
- CVE-2016-3659 SQL Injection Vulnerability in graph_view.php (Closes:
#820521)
* Drop obsolete patches (applied upstream)
* Update tests to depend on javascript-common
* Don't test lighttpd for now
* Drop jquery.js from the source (wasn't used anyways in Debian), so no
need to document it in d/copyright
* Add make_cacti_sql_mode-strict_compatible.patch to enable cacti to
work with the default settings of MySQL 5.7 (LP: #1578144)
-- Paul Gevers <email address hidden> Sat, 14 May 2016 22:26:35 +0200
-
cacti (0.8.8g+ds1-3) unstable; urgency=medium
* Bump standards (no changes)
* Fix noninteractive install failure
* Reorder test Depends in the hope that MySQL|MariaDB-server get setup
before cacti
* Refresh all patches
* Take over patch 11_1571432_mysqli.patch from Ubuntu (although not
really needed anymore) to fix mysqli extension in the install script
(LP: #1571432)
-- Paul Gevers <email address hidden> Fri, 29 Apr 2016 14:08:05 +0200
-
cacti (0.8.8g+ds1-2) unstable; urgency=medium
[ Paul Gevers ]
* Next upstream version, strip include/js/jquery.js from source
* Make sure the web-interface doesn't ask unnecessary questions after
install (Closes: #783447)
* Use the MySQL connection password as initial password for the admin
user (Closes: #783446) and mention this in the NEWS.Debian file
* Improve fix for CVE-2016-2313 such that it doesn't cause a regression
for setups that rely on http authentication of users unknown to cacti.
- Add improve_fix_for_CVE-2016-2313.patch
* Full update of README.Debian
* CVE-2016-3172
- Add CVE-2016-3172_sql-injection-in-tree.php.patch (Closes: #818647)
* Update Brazilian Portuguese, thanks to Diego Neves (Closes: #816962)
* Drop old code in postinst to (re)move old configuration files this is
already fixed in jessie
* Bump version for libphp-adodb as mysqli doesn't work otherwise
* Add new php-xml & php-mbstring to Depends for php7.0
* Add add_rrdtool-1.5_to_utilities.php.patch to prevent error in
utilities.php with rrdtool version 1.5
* Remove Mahyuddin from uploaders (thanks for the fish)
[ Nishanth Aravamudan ]
* Update to PHP7.0 dependencies (LP: #1544352)
* Default to mysqli driver for database connection, as the mysql driver
has been removed in PHP7.0 (LP: #1544352) (Closes: #815987)
-- Paul Gevers <email address hidden> Sun, 17 Apr 2016 19:55:43 +0200
-
cacti (0.8.8g+ds1-1) unstable; urgency=medium
* New upstream release
- CVE-2016-2313 (closes: #814353)
- Drop included patches
* Update d/copyright with new years
* Enable installation on MariaDB by forcing the collation to latin1
* Add mariadb-server to list of recommends
* Update Vcs-* fields to https
-- Paul Gevers <email address hidden> Fri, 26 Feb 2016 13:50:34 +0100
-
cacti (0.8.8f+ds1-4) unstable; urgency=medium
* CVE-2015-8377: Fix SQL Injection vulnerability in graphs_new.php
* CVE-2015-8604: Fix SQL Injection vulnerability in graphs_new.php
* Depend on dbconfig-mysql or dbconfig-no-thanks instead of
dbconfig-common and mysql-client
* Bump compat level to 9
* Drop useless CFLAGS declaration in d/rules
* Drop cacti.sql_drop_tables_to_begin.patch as dbconfig-common now does
that.
* Add dependency on libjs-jquery now that version is high enough and
update use_debian_javascript_packages.patch to use it.
-- Paul Gevers <email address hidden> Sat, 09 Jan 2016 13:16:04 +0100
-
cacti (0.8.8f+ds1-3) unstable; urgency=high
* Add upstream patch to fix
- CVE-2015-8369 SQL Injection vulnerability in graph.php
-- Paul Gevers <email address hidden> Sat, 12 Dec 2015 14:03:40 +0100
-
cacti (0.8.8f+ds1-2) unstable; urgency=medium
* Update loadavg_multi_locale_friendly.patch (Closes: #793401)
* Add missing manual.css (Closes: #783416)
* Fix d/rules override_dh_*configure target (Wasn't ever run,
althought that wasn't too bad until now)
-- Paul Gevers <email address hidden> Mon, 03 Aug 2015 19:58:53 +0200
-
cacti (0.8.8f+ds1-1) unstable; urgency=medium
* New upstream release fixing some regressions in 0.8.8e
-- Paul Gevers <email address hidden> Tue, 21 Jul 2015 21:59:40 +0200
-
cacti (0.8.8e+ds1-1) unstable; urgency=high
* Imported Upstream version 0.8.8e
- CVE-2015-4634 multiple SQL Injection vulnerabilities
* Add new jquery scripts to Files-Exculded
* Refresh patches
-- Paul Gevers <email address hidden> Wed, 15 Jul 2015 19:47:00 +0200
-
cacti (0.8.8d+ds1-1) unstable; urgency=high
* Upload to unstable
* New upstream release
- CVE-2015-2665 Cross-site scripting (XSS) vulnerability in Cacti
before 0.8.8d allows remote attackers to inject arbitrary web script
or HTML via unspecified vectors.
- CVE-2015-4342 SQL Injection and Location header injection from cdef id
- CVE-2015-4454 SQL injection vulnerability in the
get_hash_graph_template function in lib/functions.php in Cacti before
0.8.8d allows remote attackers to execute arbitrary SQL commands via
the graph_template_id parameter to graph_templates.php.
- Unassigned CVE VN:JVN#78187936 / TN:JPCERT#98968540 Fixed SQL injection
* Remove Sean from the list of uploaders. Thanks for all the fish
(Closes: #773436)
* Fix d/p/07_cli-include-path.patch (LP: #1433665)
* Update debian/patches/fix_php_strict_warning_in_ping.patch for partial
upstream fix
* Include the virtual alternative for the recommends on mysql-server
(Closes: #781982)
* Upstream dropped unused javascripts, remove them from d/copyright
* Add patch to have upgrade script mention version 0.8.8d i.s.o. 0.8.8c
-- Paul Gevers <email address hidden> Mon, 22 Jun 2015 19:59:13 +0200
-
cacti (0.8.8b+dfsg-8) unstable; urgency=high
* CVE-2014-5261
Unsufficient input sanitation leads to shell command injection
possibilities
* CVE-2014-5262
Incomplete and incorrect input parsing leads to SQL injection attack
scenarios
* Fix for CVE-2014-5043 was incomplete, improve patch
* Change CVE-2014-4002 patch to include upstream updated commits
-- Paul Gevers <email address hidden> Mon, 18 Aug 2014 19:57:43 +0200