Debian Package Tracker

general

source: cacti (main)
version: 1.2.7+ds1-1
maintainer: Cacti Maintainer (archive) (DMD)
uploaders: Paul Gevers [DMD]
arch: all
std-ver: 4.3.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 0.8.8b+dfsg-8+deb8u6
o-o-sec: 0.8.8b+dfsg-8+deb8u8
oldstable: 0.8.8h+ds1-10
stable: 1.2.2+ds1-2+deb10u1
testing: 1.2.7+ds1-1
unstable: 1.2.7+ds1-1

versioned links

0.8.8b+dfsg-8+deb8u6: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.8.8b+dfsg-8+deb8u8: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.8.8h+ds1-10: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.2.2+ds1-2+deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.2.7+ds1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

cacti (7 bugs: 0, 7, 0, 0)

action needed

Marked for autoremoval on 02 January due to fontcustom: #910945 high

Version 1.2.7+ds1-1 of cacti is marked for autoremoval from testing on Thu 02 Jan 2020. It depends (transitively) on fontcustom, affected by #910945. You should try to prevent the removal by fixing these RC bugs.

Created: 2019-12-03 Last update: 2019-12-11 15:08

3 security issues in buster high

There are 3 open security issues in buster.

3 important issues:

CVE-2019-17357:
CVE-2019-17358:
CVE-2019-16723: In Cacti through 1.2.6, authenticated users may bypass authorization checks (for viewing a graph) via a direct graph_json.php request with a modified local_graph_id parameter.

Please fix them.

Created: 2019-09-23 Last update: 2019-12-11 14:34

2 security issues in bullseye high

There are 2 open security issues in bullseye.

2 important issues:

CVE-2019-17357:
CVE-2019-17358:

Please fix them.

Created: 2019-12-11 Last update: 2019-12-11 14:34

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2019-17357:
CVE-2019-17358:

Please fix them.

Created: 2019-12-11 Last update: 2019-12-11 14:34

10 security issues in stretch high

There are 10 open security issues in stretch.

2 important issues:

CVE-2019-17357:
CVE-2019-17358:

8 issues skipped by the security teams:

CVE-2018-20726: A cross-site scripting (XSS) vulnerability exists in host.php (via tree.php) in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname field for Devices.
CVE-2018-20724: A cross-site scripting (XSS) vulnerability exists in pollers.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname for Data Collectors.
CVE-2018-20725: A cross-site scripting (XSS) vulnerability exists in graph_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Graph Vertical Label.
CVE-2018-20723: A cross-site scripting (XSS) vulnerability exists in color_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Name field for a Color.
CVE-2018-10060: Cacti before 1.1.37 has XSS because it does not properly reject unintended characters, related to use of the sanitize_uri function in lib/functions.php.
CVE-2018-10061: Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used).
CVE-2019-11025: In clearFilter() in utilities.php in Cacti before 1.2.3, no escaping occurs before printing out the value of the SNMP community string (SNMP Options) in the View poller cache, leading to XSS.
CVE-2017-16641: lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators to execute arbitrary OS commands via the path_rrdtool parameter in an action=save request to settings.php.

Please fix them.

Created: 2017-11-08 Last update: 2019-12-11 14:34

A new upstream version is available: 1.2.8 high

A new upstream version 1.2.8 is available, you should consider packaging it.

Created: 2019-12-10 Last update: 2019-12-11 10:03

lintian reports 9 warnings high

Lintian reports 9 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2018-04-08 Last update: 2019-10-09 01:38

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2019-08-01 Last update: 2019-12-11 16:34

Depends on packages which need a new maintainer normal

The packages that cacti depends on which need a new maintainer are:

apache2 (#910917)
- Recommends: apache2
lighttpd (#898110)
- Recommends: lighttpd

Created: 2019-11-22 Last update: 2019-12-11 14:41

8 ignored security issues in jessie low

There are 8 open security issues in jessie.

8 issues skipped by the security teams:

CVE-2018-20726: A cross-site scripting (XSS) vulnerability exists in host.php (via tree.php) in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname field for Devices.
CVE-2018-20724: A cross-site scripting (XSS) vulnerability exists in pollers.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname for Data Collectors.
CVE-2018-20725: A cross-site scripting (XSS) vulnerability exists in graph_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Graph Vertical Label.
CVE-2018-20723: A cross-site scripting (XSS) vulnerability exists in color_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Name field for a Color.
CVE-2018-10060: Cacti before 1.1.37 has XSS because it does not properly reject unintended characters, related to use of the sanitize_uri function in lib/functions.php.
CVE-2018-10061: Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used).
CVE-2017-1000031: SQL injection vulnerability in graph_templates_inputs.php in Cacti 0.8.8b allows remote attackers to execute arbitrary SQL commands via the graph_template_input_id and graph_template_id parameters.
CVE-2017-16641: lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators to execute arbitrary OS commands via the path_rrdtool parameter in an action=save request to settings.php.

Please fix them.

Created: 2017-07-19 Last update: 2019-12-11 14:34

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.4.1 instead of 4.3.0).

Created: 2019-07-08 Last update: 2019-10-08 01:38

news

[rss feed]

[2019-12-11] Accepted cacti 0.8.8b+dfsg-8+deb8u8 (source all) into oldoldstable (Chris Lamb)
[2019-10-10] cacti 1.2.7+ds1-1 MIGRATED to testing (Debian testing watch)
[2019-10-07] Accepted cacti 1.2.7+ds1-1 (source) into unstable (Paul Gevers)
[2019-09-30] cacti 1.2.6+ds1-3 MIGRATED to testing (Debian testing watch)
[2019-09-30] cacti 1.2.6+ds1-3 MIGRATED to testing (Debian testing watch)
[2019-09-28] Accepted cacti 1.2.6+ds1-3 (source) into unstable (Paul Gevers)
[2019-09-19] Accepted cacti 1.2.6+ds1-2 (source) into unstable (Paul Gevers)
[2019-09-08] Accepted cacti 1.2.6+ds1-1 (source) into unstable (Paul Gevers)
[2019-07-30] Accepted cacti 1.2.2+ds1-2+deb10u1 (source) into proposed-updates->stable-new, proposed-updates (Paul Gevers)
[2019-07-18] cacti 1.2.4+ds1-2 MIGRATED to testing (Debian testing watch)
[2019-07-15] Accepted cacti 1.2.4+ds1-2 (source) into unstable (Paul Gevers)
[2019-07-15] Accepted cacti 1.2.4+ds1-1 (source) into unstable (Paul Gevers)
[2019-04-16] Accepted cacti 0.8.8b+dfsg-8+deb8u7 (source all) into oldstable (Chris Lamb)
[2019-04-13] cacti 1.2.2+ds1-2 MIGRATED to testing (Debian testing watch)
[2019-04-11] Accepted cacti 1.2.2+ds1-2 (source) into unstable (Paul Gevers) (signed by: Graham Inggs)
[2019-03-10] cacti 1.2.2+ds1-1 MIGRATED to testing (Debian testing watch)
[2019-02-27] Accepted cacti 1.2.2+ds1-1 (source) into unstable (Paul Gevers)
[2019-02-25] cacti 1.2.1+ds1-2 MIGRATED to testing (Debian testing watch)
[2019-02-14] Accepted cacti 1.2.1+ds1-2 (source) into unstable (Paul Gevers)
[2019-02-02] cacti 1.2.1+ds1-1 MIGRATED to testing (Debian testing watch)
[2019-01-28] Accepted cacti 1.2.1+ds1-1 (source) into unstable (Paul Gevers)
[2018-12-30] cacti 1.1.38+ds1-2 MIGRATED to testing (Debian testing watch)
[2018-12-27] Accepted cacti 1.1.38+ds1-2 (source) into unstable (Paul Gevers)
[2018-12-02] Accepted cacti 1.2.0~beta4+ds1-1 (source) into experimental (Paul Gevers)
[2018-10-28] Accepted cacti 1.2.0~beta2+ds1-1 (source) into experimental (Paul Gevers)
[2018-04-26] Accepted cacti 1.1.38+ds1-1~bpo9+1 (source) into stretch-backports (Paul Gevers)
[2018-04-23] cacti 1.1.38+ds1-1 MIGRATED to testing (Debian testing watch)
[2018-04-18] Accepted cacti 1.1.38+ds1-1 (source) into unstable (Paul Gevers)
[2018-04-18] cacti 1.1.37+ds1-1 MIGRATED to testing (Debian testing watch)
[2018-04-12] Accepted cacti 1.1.37+ds1-1 (source) into unstable (Paul Gevers)

bugs [bug history graph]

all: 5 7
RC: 0
I&N: 5 7
M&W: 0
F&P: 0
patch: 1

links

homepage
lintian (0, 9)
buildd: logs, clang, reproducibility
popcon
browse source code
edit tags
security tracker
screenshots
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.2.4+ds1-2ubuntu3
2 bugs
patches for 1.2.4+ds1-2ubuntu3