Ubuntu
cacti package

Change logs for cacti source package in Bionic

  1. Bionic (18.04)
  2. Change log 
  • cacti (1.1.38+ds1-1) unstable; urgency=medium

  * New upstream release 1.1.38
  * [tests] Remove mysql-server test as it isn't available in testing

 -- Paul Gevers <email address hidden>  Wed, 18 Apr 2018 12:03:05 +0200
  • cacti (1.1.37+ds1-1) unstable; urgency=medium

  * New upstream release 1.1.37
  * CVE-2018-10059: (XSS) the get_current_page function in
    lib/functions.php relies on $_SERVER['PHP_SELF'] instead of
    $_SERVER['SCRIPT_NAME'] to determine a page name
  * CVE-2018-10060: (XSS) does not properly reject unintended characters,
    related to use of the sanitize_uri function in lib/functions.php
  * CVE-2018-10061: (XSS) makes certain htmlspecialchars calls without the
    ENT_QUOTES flag

 -- Paul Gevers <email address hidden>  Thu, 12 Apr 2018 17:43:13 +0200
  • cacti (1.1.36+ds1-1) unstable; urgency=medium

  * New upstream release 1.1.36
    - Refresh patches

 -- Paul Gevers <email address hidden>  Wed, 28 Feb 2018 16:22:50 +0100
  • cacti (1.1.35+ds1-1) unstable; urgency=medium

  * New upstream version 1.1.35
  * [tests] Fix for nofollow directive that prevented recursive crawl
    (Closes: #889893)
  * [tests] Prevent cron job from running
  * Add 0001-issue-1336-Fix-issue-with-config-not-being-defined-1.patch
    from upstream

 -- Paul Gevers <email address hidden>  Tue, 13 Feb 2018 19:26:14 +0100
  • cacti (1.1.34+ds1-1) unstable; urgency=medium

  * New upstream version 1.1.34
    - Includes updates for php7.2 (Closes: #889181)

 -- Paul Gevers <email address hidden>  Tue, 06 Feb 2018 22:31:34 +0100
  • cacti (1.1.31+ds1-1ubuntu2) bionic; urgency=medium

  * d/t/check-all-pages: correct message string.

 -- Nishanth Aravamudan <email address hidden>  Mon, 05 Feb 2018 16:19:36 -0800
  • cacti (1.1.31+ds1-1ubuntu1) bionic; urgency=medium

  * debian/patches/php72_count_bc_changes.patch: PHP7.2 has deprecated
    count() of non-Countable objects.
  * debian/patches/update-cactisql.patch: Update cacti.sql for
    readstring to community change.
  * debian/tests/check-all-pages: add a new expected error message.

 -- Nishanth Aravamudan <email address hidden>  Fri, 02 Feb 2018 08:21:41 -0800
  • cacti (1.1.31+ds1-1) unstable; urgency=medium

  * New upstream version 1.1.31
  * Update autopkgtest for new output since 1.1.29

 -- Paul Gevers <email address hidden>  Wed, 17 Jan 2018 18:50:00 +0100
  • cacti (1.1.30+ds1-1) unstable; urgency=medium

  * New upstream version 1.1.30

 -- Paul Gevers <email address hidden>  Fri, 05 Jan 2018 20:30:47 +0100
  • cacti (1.1.29+ds1-1) unstable; urgency=medium

  * New upstream version 1.1.29
  * Refresh documentation tar ball
  * Drop php-mysqlnd from alternative list of dependencies, it doesn't
    exist
  * Use dh-linktree embed-weakdep option to prevent strong dependencies
    (requires dh-linktree 0.5)

 -- Paul Gevers <email address hidden>  Wed, 27 Dec 2017 20:57:21 +0100
  • cacti (1.1.28+ds1-3) unstable; urgency=medium

  * Rebuild against new version of libjs-jquery-colorpicker (Closes:
    #884756)

 -- Paul Gevers <email address hidden>  Thu, 21 Dec 2017 21:16:13 +0100
  • cacti (1.1.28+ds1-2) unstable; urgency=medium

  * Add remove-global-mysql-command.patch (Closes: #882356)

 -- Paul Gevers <email address hidden>  Fri, 24 Nov 2017 11:07:11 +0100
  • cacti (1.1.28+ds1-1) unstable; urgency=medium

  * New upstream version 1.1.28
    - Drop applied patches
  * [tests] Allow time out to happen in the logs as Ubuntu's autopkgtest
    servers are often too slow

 -- Paul Gevers <email address hidden>  Sun, 19 Nov 2017 21:34:10 +0100
  • cacti (1.1.27+ds1-3) unstable; urgency=medium

  * CVE-2017-16641: remote authenticated administrators can execute
    arbitrary os commands via the path_rrdtool parameter in an action=save
    request to settings.php (Closes: #881110)
  * CVE-2017-16660: remote authenticated administrators can conduct Remote
    Code Execution attacks by placing the Log Path under the web root, and
    then making a remote_agent.php request containing PHP code in a
    Client-ip header
  * CVE-2017-16661: remote authenticated administrators can read arbitrary
    files accessible by the web-server user by placing the Log Path into a
    private directory, and then making a clog.php?filename= request
  * CVE-2017-16785: reflected XSS via the PATH_INFO to host.php
    (reintroduction of CVE-2017-15194)
  * Bump standards to 4.1.1
  * Set Priority to optional

 -- Paul Gevers <email address hidden>  Tue, 14 Nov 2017 20:14:34 +0100
  • cacti (1.1.27+ds1-2) unstable; urgency=medium

  * Add upstream commit b44eb52 as 0001-Another-crack-at-issue-1039.patch
    because they likely reintroduced part of CVE-2017-15194. Thanks to
    autopkgtest

 -- Paul Gevers <email address hidden>  Fri, 27 Oct 2017 14:41:48 +0200
  • cacti (1.1.18+ds1-1) unstable; urgency=medium

  * New upstream version 1.1.18
    - Drop patches from upstream and refresh the others
  * Bump standards version to 4.0.1 (no changes)
  * Stop installing csrf/LICENSE file (thanks lintian)

 -- Paul Gevers <email address hidden>  Sat, 19 Aug 2017 18:46:41 +0200