Security update for cacti, cacti-spine SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:1106-1 Final 1 1 2020-07-27T21:28:47Z current 2020-07-27T21:28:47Z 2020-07-27T21:28:47Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for cacti, cacti-spine This update for cacti, cacti-spine fixes the following issues: - cacti 1.2.13: * Query XSS vulnerabilities require vendor package update (CVE-2020-11022 / CVE-2020-11023) * Lack of escaping on some pages can lead to XSS exposure * Update PHPMailer to 6.1.6 (CVE-2020-13625) * SQL Injection vulnerability due to input validation failure when editing colors (CVE-2020-14295, boo#1173090) * Lack of escaping on template import can lead to XSS exposure - switch from cron to systemd timers (boo#1115436): + cacti-cron.timer + cacti-cron.service - avoid potential root escalation on systems with fs.protected_hardlinks=0 (boo#1154087): handle directory permissions in file section instead of using chown during post installation - rewrote apache configuration to get rid of .htaccess files and explicitely disable directory permissions per default (only allow a limited, well-known set of directories) This update was imported from the openSUSE:Leap:15.1:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-1106 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4IXKYESUUIOBHBKL32YKWOWHSJKS7RN3/ E-Mail link for openSUSE-SU-2020:1106-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1115436 SUSE Bug 1115436 https://bugzilla.suse.com/1154087 SUSE Bug 1154087 https://bugzilla.suse.com/1173090 SUSE Bug 1173090 https://www.suse.com/security/cve/CVE-2020-11022/ SUSE CVE CVE-2020-11022 page https://www.suse.com/security/cve/CVE-2020-11023/ SUSE CVE CVE-2020-11023 page https://www.suse.com/security/cve/CVE-2020-13625/ SUSE CVE CVE-2020-13625 page https://www.suse.com/security/cve/CVE-2020-14295/ SUSE CVE CVE-2020-14295 page SUSE Package Hub 15 SP1 cacti-1.2.13-bp151.4.12.1 cacti-spine-1.2.13-bp151.4.12.1 cacti-1.2.13-bp151.4.12.1 as a component of SUSE Package Hub 15 SP1 cacti-spine-1.2.13-bp151.4.12.1 as a component of SUSE Package Hub 15 SP1 In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. CVE-2020-11022 SUSE Package Hub 15 SP1:cacti-1.2.13-bp151.4.12.1 SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4IXKYESUUIOBHBKL32YKWOWHSJKS7RN3/ https://www.suse.com/security/cve/CVE-2020-11022.html CVE-2020-11022 https://bugzilla.suse.com/1173090 SUSE Bug 1173090 https://bugzilla.suse.com/1178434 SUSE Bug 1178434 https://bugzilla.suse.com/1190663 SUSE Bug 1190663 In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. CVE-2020-11023 SUSE Package Hub 15 SP1:cacti-1.2.13-bp151.4.12.1 SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4IXKYESUUIOBHBKL32YKWOWHSJKS7RN3/ https://www.suse.com/security/cve/CVE-2020-11023.html CVE-2020-11023 https://bugzilla.suse.com/1173090 SUSE Bug 1173090 https://bugzilla.suse.com/1178434 SUSE Bug 1178434 https://bugzilla.suse.com/1190660 SUSE Bug 1190660 PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message. CVE-2020-13625 SUSE Package Hub 15 SP1:cacti-1.2.13-bp151.4.12.1 SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1 important 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4IXKYESUUIOBHBKL32YKWOWHSJKS7RN3/ https://www.suse.com/security/cve/CVE-2020-13625.html CVE-2020-13625 https://bugzilla.suse.com/1173090 SUSE Bug 1173090 A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries. CVE-2020-14295 SUSE Package Hub 15 SP1:cacti-1.2.13-bp151.4.12.1 SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1 important 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4IXKYESUUIOBHBKL32YKWOWHSJKS7RN3/ https://www.suse.com/security/cve/CVE-2020-14295.html CVE-2020-14295 https://bugzilla.suse.com/1173090 SUSE Bug 1173090