Hide Forgot
Cacti 0.8.8b was released [1] which includes a security fix for "SQL injection and shell escaping issues". Current Fedora and EPEL include 0.8.8a which is vulnerable to these flaws. No other information is currently available, however the 0.8.8b release is primarily a bug fix so should be safe to rebase across the board. [1] http://sourceforge.net/mailarchive/message.php?msg_id=31258868
Created cacti tracking bugs for this issue: Affects: fedora-all [bug 994617] Affects: epel-all [bug 994618]
Code commits look to be as follows: * SQL injection: http://svn.cacti.net/viewvc?view=rev&revision=7394 * Shell escape in snmp.php: http://svn.cacti.net/viewvc?view=rev&revision=7392 * Shell escape in rrd.php: http://svn.cacti.net/viewvc?view=rev&revision=7393
CVEs requested: http://www.openwall.com/lists/oss-security/2013/08/07/7
The CVE identifiers have been assigned as follows (http://www.openwall.com/lists/oss-security/2013/08/07/15): CVE-2013-1434: for the SQL injection issues, fixed by http://svn.cacti.net/viewvc?view=rev&revision=7394 CVE-2013-1435: for the shell escaping issues, fixed by http://svn.cacti.net/viewvc?view=rev&revision=7392 and http://svn.cacti.net/viewvc?view=rev&revision=7393
It was noted that the fix for CVE-2013-1435 caused a regression (functionality broke): http://sourceforge.net/mailarchive/message.php?msg_id=31262707 http://sourceforge.net/mailarchive/message.php?msg_id=31262712 The corresponding svn commits should be the following: http://svn.cacti.net/viewvc?view=rev&revision=7408 http://svn.cacti.net/viewvc?view=rev&revision=7409 http://svn.cacti.net/viewvc?view=rev&revision=7413
Thanks for pointing out those commits. Since this is SQL injection, I'm still planning to push this to stable ASAP, even with the broken graphs, because I don't want to reset the timers in Bodhi. We can pick up those patches on a later release, assuming upstream won't ship 0.8.8c for those.
Link to upstream discussion about the graph regressions: http://forums.cacti.net/viewtopic.php?f=21&t=50602 (For Fedora and EPEL, we're still on track to get 0.8.8b into stable ASAP, as described in comment #6)
cacti-0.8.8b-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
cacti-0.8.8b-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
cacti-0.8.8b-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
cacti-0.8.8b-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.