Bug 690581 - Security fixes in Cacti v0.8.7g for EPEL4/5
Summary: Security fixes in Cacti v0.8.7g for EPEL4/5
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: cacti
Version: el4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Gwyn Ciesla
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-03-24 17:28 UTC by Dan Young
Modified: 2011-12-13 18:08 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-13 18:08:56 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
Cacti database upgrade works after this patch. (1.19 KB, patch)
2011-04-05 22:39 UTC, Dan Young
no flags Details | Diff

Description Dan Young 2011-03-24 17:28:49 UTC
Description of problem:
Upstream cacti has a new release (0.8.7g) that fixes some security issues:
http://www.cacti.net/release_notes_0_8_7g.php

This is already in EPEL6. 4 and 5 are still on 0.8.7f; can we get 0.8.7g pushed there as well?

Comment 1 Gwyn Ciesla 2011-04-05 15:49:38 UTC
Working on a pair of bugs, if they're good I'll push it to rawhide, F-15-14-13, EL-4-5-6.

Comment 2 Dan Young 2011-04-05 17:15:27 UTC
Not sure if this is one of your bugs...

I tried an upgrade of 0.8.7.f to 0.8.7.g (rebuilt 0.8.7g for EPEL4) which cratered due to the upgrade script not working. Bug seems to be in db_fetch_cell('select cacti from version') in either /usr/share/cacti/install/index.php or /var/lib/cacti/cli/upgrade_database.php.

I can file this separately if you like.

Comment 3 Gwyn Ciesla 2011-04-05 17:24:19 UTC
It is.  If you have a patch, attach it to this BZ and I'll have a look.

Comment 4 Dan Young 2011-04-05 22:36:07 UTC
Patch attached. Here's the corresponding upstream commit:
http://svn.cacti.net/viewvc/cacti/branches/0.8.7/lib/database.php?r1=6233&r2=6321

I tested it as far as the web-driven upgrade process. The /var/lib/cacti/cli/upgrade_database.php script still fails as there's no 0_8_7f_to_0_8_7g.php in the array at the top.

Comment 5 Dan Young 2011-04-05 22:39:39 UTC
Created attachment 490100 [details]
Cacti database upgrade works after this patch.

The upstream commit references this bug: http://bugs.cacti.net/view.php?id=1646 which is for SSL MySQL support? And yet it fixes the upgrade operation...

Comment 6 Vincent Danen 2011-05-16 22:28:21 UTC
Any progress on this issue?

Comment 7 Dan Young 2011-05-25 21:54:21 UTC
Ping?

Comment 8 Gwyn Ciesla 2011-05-26 12:31:31 UTC
Sorry, been swamped.  I just approved kdreyer for EL-5, are you working on this or shall I?

Comment 9 Ken Dreyer 2011-05-26 14:54:10 UTC
I currently have a few spare cycles so I was going to try to get this fixed for EL-5.

I don't have an EL-4 box available to test, so someone else will need to handle that branch.

Comment 10 Dan Young 2011-05-26 20:03:53 UTC
My production Cacti is on EL4 so I'd be willing to do some footwork to make this happen.

Jon, you mentioned other issues besides the DB upgrade that were outstanding. If you can summarize and point me at those, I'd be willing to take a look. Thanks.

Comment 11 Ken Dreyer 2011-05-26 21:10:07 UTC
Dan, if you're interested feel free to apply for commit privs at https://admin.fedoraproject.org/pkgdb/acls/name/cacti .

And Jon, I'll second Dan's request for more information re: your comment #1. I see #609856 and #665773 are open in BZ, but was there something more?

Comment 12 Fedora Update System 2011-05-27 05:28:43 UTC
cacti-0.8.7g-1.el5.1 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/cacti-0.8.7g-1.el5.1

Comment 14 Fedora Update System 2011-06-15 14:57:17 UTC
cacti-0.8.7g-1.el5.1 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Ken Dreyer 2011-10-27 19:14:50 UTC
Dan, I've pushed 0.8.7h to EL4: https://admin.fedoraproject.org/updates/cacti-0.8.7h-1.el4

I don't have an EL4 box here to test. Your feedback would be appreciated.

Comment 16 Dan Young 2011-10-31 20:39:52 UTC
This error was logged in /var/log/cacti/cacti.log on upgrade from 0.8.7.f:
[Fail] ALTER TABLE `data_template_rrd` ADD UNIQUE INDEX `duplicate_dsname_contraint` (`local_data_id`, `data_source_name`, `data_template_id`)

Some related discussion here:
http://forums.cacti.net/viewtopic.php?f=11&t=42925

Cacti seems to work anyways, FWIW. I'm not sure I'm in a position to recommend you push the update or not. Given the imminent end of regular support for EL4, we're not likely to stay on it much longer.

Comment 17 Ken Dreyer 2011-11-01 20:58:25 UTC
Thanks for the feedback. Were you able to actually update the DB to 0.8.7f ok?

I'm inclined to push cacti-0.8.7h-1.el4 out since it has a fix for SQL injection and XSS, and the upstream bug (1646) mentioned in Comment 5 made it into 0.8.7h... but maybe there's something else lurking that's incompatible with EL4?

Comment 18 Ken Dreyer 2011-11-01 20:59:14 UTC
(In reply to comment #17)
> Thanks for the feedback. Were you able to actually update the DB to 0.8.7f ok?

...I meant 0.8.7h here, sorry.

Comment 19 Dan Young 2011-11-01 21:24:26 UTC
(In reply to comment #18)
> (In reply to comment #17)
> > Thanks for the feedback. Were you able to actually update the DB to 0.8.7f ok?
> 
> ...I meant 0.8.7h here, sorry.

Yes, it did update, though with the aforementioned database error.

I certainly think the security issues, etc. are worth updating for, though I wish I understood what was happening w/ the SQL error on database upgrade. Could just be our Cacti database...

If it's "just" an index and there is no visible performance penalty, I'm less inclined to care.

Comment 20 Ken Dreyer 2011-12-12 14:48:50 UTC
I pushed 0.8.7h for all branches back in November (#748451), so I'm going to mark this as "closed". 0.8.7i was released today with more security fixes. Please see #766573 for tracking that effort.


Note You need to log in before you can comment on or make changes to this bug.