Security update for cacti and cacti-spine SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:2765-1 Final 1 1 2017-10-18T20:35:36Z current 2017-10-18T20:35:36Z 2017-10-18T20:35:36Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for cacti and cacti-spine This update for cacti and cacti-spine fixes the following issues: Build version 1.1.26 - issue#841: --input-fields variable not working with add_graphs.php cli - issue#986: Resolve minor appearance problem on Modern theme - issue#989: Resolve issue with data input method commands loosing spaces on import - issue#1000: add_graphs.php not recognizing input fields - issue#1003: Reversing resolution to Issue#995 due to adverse impact to polling times - issue#1008: Remove developer debug warning about thumbnail validation - issue#1009: Resolving minor issue with cmd_realtime.php and a changing hostname - issue#1010: CVE-2017-15194 - Path-Based Cross-Site Scripting (XSS) (bsc#1062554) - issue#1027: Confirm that the PHP date.timezone setting is properly set during install - issue: Fixed database session handling for PHP 7.1 - issue: Fixed some missing i18n - issue: Fixed typo's - feature: Updated Dutch translations - feature: Schema changes; Examined queries without key usage and added/changed some keys - feature: Some small improvements Build version 1.1.25 - issue#966: Email still using SMTP security even though set to none - issue#995: Redirecting exec_background() to dev null breaks some functions - issue#998: Allow removal of external data template and prevent their creation - issue: Remove spikes uses wrong variance value from WebGUI - issue: Changing filters on log page does not reset to first page - issue: Allow manual creation of external data sources once again - feature: Updated Dutch translations Build version 1.1.24 - issue#932: Zoom positioning breaks when you scroll the graph page - issue#970: Remote Data Collector Cache Synchronization missing plugin sub-directories - issue#980: Resolve issue where a new tree branches refreshs before you have a chance to name it - issue#982: Data Source Profile size information not showing properly - issue: Long sysDescriptions on automation page cause columns to be hidden - issue: Resolve visual issues in Classic theme - feature: Allow Resynchronization of Poller Resource Cache Build version 1.1.23 - issue#963: SQL Errors with snmpagent and MariaDB 10.2 - issue#964: SQL Mode optimization failing in 1.1.22 Build version 1.1.22 - issue#950: Automation - New graph rule looses name on change - issue#952: CSV Export not rendering chinese characters correctly (Second attempt) - issue#955: Validation error trying to view graph debug syntax - issue: MySQL/MariaDB database sql_mode NO_AUTO_VALUE_ON_ZERO corrupts Cacti database - issue: When creating a data source, the data source profile does not default to the system default - feature: Enhance table filters to support new Cycle plugin - feature: Updated Dutch Translations Build version 1.1.21 - issue#938: Problems upgrading to 1.1.20 with one table alter statement - issue#952: CSV Export not rendering chinese characters correctly - issue: Minor alignment issue on tables Build version 1.1.20 - issue#920: Issue with scrollbars after update to 1.1.19 related to #902 - issue#921: Tree Mode no longer expands to accomodate full tree item names - issue#922: When using LDAP domains some setings are not passed correctly to the Cacti LDAP library - issue#923: Warninga in cacti.log are displayed incorrectly - issue#926: Update Utilities page to provide more information on rebuilding poller cache - issue#927: Minor schema change to support XtraDB Cluster - issue#929: Overlapping frames on certain themes - issue#931: Aggregate graphs missing from list view - issue#933: Aggregate graphs page counter off - issue#935: Support utf8 printable in data query inserts - issue#936: TimeZone query failure undefined function - issue: Taking actions on users does not use callbacks - issue: Undefined constant in lib/snmp.php on RHEL7 - issue: Human readable socket errno's not defined - issue: Audit of ping methods tcp, udp, and icmp ping. IPv6 will still not work till php 5.5.4 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2017-10/msg00064.html E-Mail link for openSUSE-SU-2017:2765-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 openSUSE Leap 42.3 cacti-1.1.26-25.1 cacti-doc-1.1.26-25.1 cacti-spine-1.1.26-16.1 cacti-1.1.26-25.1 as a component of openSUSE Leap 42.2 cacti-doc-1.1.26-25.1 as a component of openSUSE Leap 42.2 cacti-spine-1.1.26-16.1 as a component of openSUSE Leap 42.2 cacti-1.1.26-25.1 as a component of openSUSE Leap 42.3 cacti-doc-1.1.26-25.1 as a component of openSUSE Leap 42.3 cacti-spine-1.1.26-16.1 as a component of openSUSE Leap 42.3 include/global_session.php in Cacti 1.1.25 has XSS related to (1) the URI or (2) the refresh page. CVE-2017-15194 openSUSE Leap 42.2:cacti-1.1.26-25.1 openSUSE Leap 42.2:cacti-doc-1.1.26-25.1 openSUSE Leap 42.2:cacti-spine-1.1.26-16.1 openSUSE Leap 42.3:cacti-1.1.26-25.1 openSUSE Leap 42.3:cacti-doc-1.1.26-25.1 openSUSE Leap 42.3:cacti-spine-1.1.26-16.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-10/msg00064.html https://www.suse.com/security/cve/CVE-2017-15194.html CVE-2017-15194 https://bugzilla.suse.com/1062554 SUSE Bug 1062554