-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 08 Sep 2024 16:11:08 +0000 Source: cacti Architecture: source Version: 1.2.16+ds1-2+deb11u4 Distribution: bullseye-security Urgency: high Maintainer: Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org> Changed-By: Bastien Roucariès <rouca@debian.org> Changes: cacti (1.2.16+ds1-2+deb11u4) bullseye-security; urgency=high . * Non-maintainer upload by the LTS Security Team. * Fix CVE-2022-41444: Cross Site Scripting (XSS) vulnerability via crafted POST request to graphs_new.php. * Fix CVE-2024-25641: Fix an arbitrary file write vulnerability, exploitable through the “Package Import” feature. Cacti allowed authenticated users having the “Import Templates” permission to execute arbitrary PHP code on the web server * Fix CVE-2024-31443: some of the data stored in `form_save()` function in `data_queries.php` is not thoroughly checked and is used to concatenate the HTML statement in `grow_right_pane_tree()` function from `lib/html.php`, finally resulting in cross-site scripting (XSS) * Fix CVE-2024-31444: some of the data stored in `automation_tree_rules_form_save()` function in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the HTML statement in `form_confirm()` function from `lib/html.php` , finally resulting in cross-site scripting (XSS). * Fix CVE-2024-31445: A SQL injection vulnerability in `automation_get_new_graphs_sql` function of `api_automation.php` allows authenticated users to exploit these SQL injection vulnerabilities to perform privilege escalation and remote code execution (RCE). * Fix CVE-2024-31458: some of the data stored in `form_save()` function in `graph_template_inputs.php` is not thoroughly checked and is used to concatenate the SQL statement in `draw_nontemplated_fields_graph_item()` function from `lib/html_form_templates.php`, finally resulting in SQL injection. * Fix CVE-2024-31459: file inclusion issue in the `lib/plugin.php` file. Combined with SQL injection vulnerabilities, remote code execution (RCE) can be implemented. There is a file inclusion issue with the `api_plugin_hook()` function in the `lib/plugin.php` file, which reads the plugin_hooks and plugin_config tables in database. The read data is directly used to concatenate the file path which is used for file inclusion. * Fix CVE-2024-34340: type juggling vulnerability Cacti calls `compat_password_hash` when users set their password. `compat_password_hash` use `password_hash` if there is it, else use `md5`. When verifying password, it calls `compat_password_verify`. In `compat_password_verify`, `password_verify` is called if there is it, else use `md5`. `password_verify` and `password_hash` are supported on PHP < 5.5.0, following PHP manual. The vulnerability is in `compat_password_verify`. Md5-hashed user input is compared with correct password in database by `$md5 == $hash`. It is a loose comparison, not `===`. * Add salsa CI. Checksums-Sha1: e79f0667dc692c5da27664d3cedc5e3198332ccb 2525 cacti_1.2.16+ds1-2+deb11u4.dsc a69b61a006c30aaea6e0d2dd23981c48dfb7cc2b 13562956 cacti_1.2.16+ds1.orig-docs-source.tar.gz e130e91a789af3125d276c5a9022b915cbaea822 7423308 cacti_1.2.16+ds1.orig.tar.gz 0b6787911ab595fbe843b1f33e6f2617405f9e8c 90608 cacti_1.2.16+ds1-2+deb11u4.debian.tar.xz b56ba6f5404f2684e7413296048356001b0f92b8 6604 cacti_1.2.16+ds1-2+deb11u4_amd64.buildinfo Checksums-Sha256: d527111ccfc6075f2c6230470849a3e5575ed0986ab2a3b588e252dca2434bb9 2525 cacti_1.2.16+ds1-2+deb11u4.dsc ce2d29621353ef096a8844ddedb96cc4cd5d2e11a6a26f1022cecbb2a4583fcd 13562956 cacti_1.2.16+ds1.orig-docs-source.tar.gz 2084865fda2f2f6ae0286cce87d9d9886e49a0b3c105228d99226cc027384511 7423308 cacti_1.2.16+ds1.orig.tar.gz a1209cd02b41a82ea633e9004ece7ed93fd59ae6e90a4832e91e145a9333ec97 90608 cacti_1.2.16+ds1-2+deb11u4.debian.tar.xz 3e0a84d316175ac4b144119ca583497093d69d316dda55df900b573983f269e0 6604 cacti_1.2.16+ds1-2+deb11u4_amd64.buildinfo Files: 4a35f0ced81046bcab420633a41c33cd 2525 web optional cacti_1.2.16+ds1-2+deb11u4.dsc 203a2ac99af6ea4a209e505647b398d8 13562956 web optional cacti_1.2.16+ds1.orig-docs-source.tar.gz 29b74097553ab9693820a1e71fc67083 7423308 web optional cacti_1.2.16+ds1.orig.tar.gz ee8071be30790aaed7cfd2047d60ba4b 90608 web optional cacti_1.2.16+ds1-2+deb11u4.debian.tar.xz 9d506e89c3e73f1adab58bcc29ef8f26 6604 web optional cacti_1.2.16+ds1-2+deb11u4_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmbe1IERHHJvdWNhQGRl Ymlhbi5vcmcACgkQADoaLapBCF/b5g//T7UGlIjyDq5qSWudkJnGkuGkyj80ZtOd MM/igQnUzS3Y8bWyKGcIxcH8jy+mWfS+x3hxovqAZG+07btPX93kKhHNhG17mgLJ 8gqf+/k+b53E5Qvp0PyM0H423y+l7xx/RSVDizkagp2aNDzdQkeSVqwnWxjeSYR+ e1TQKm/OlqcRvNsirOcDfHzW9gnRCHiy7UQIEkYQIi3NIVFRBb0sthGrU1SlCnXO 8jNiy1kl+wsLCaewZlqVkjmhrttDjni2f7Rwo7yCEOZcD1Rly0ek2scT+VDgqFMS Vpp2bSp5+pyPIw9YlRVm5zsTRa/IH0xnJxk43WgI0LeDxRxzpwl5tS/m+jBo4jRA cASX557/s7nOK4PLUyiC/za7zuCMIeEpDjrpS5iZmWueDpOpE9rEN0leHV/BV/IF Ms/DpC9nCANTNAoyfl8apTrXyLgGYfS47QlDBmb34FAwW8S5RigW/cm82UbFVsiS XnyFYgQLKkZjqmArL66vcVxMozxtwQo2RPUnEuPGKvVRTWrO8SzH0CRlWSLtxaoO LWxVWPgn5tgZdM/uaC+NNETyG/5tJoAL2ukk0D1jclZC2vwgXC+v4bbd7k9WOQTV PP1aCjMt89io16ipplvFwoYhYzWQVi4EfowYm+Mmjgju7KDGmv0gGVPvu6Mq3TsA AKlF8N1Iz1w= =aRDn -----END PGP SIGNATURE-----