cacti - Debian Package Tracker

general

source: cacti (main)
version: 1.2.16+ds1-2
maintainer: Cacti Maintainer (archive) (DMD)
uploaders: Paul Gevers [DMD]
arch: all
std-ver: 4.5.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 0.8.8h+ds1-10+deb9u1
o-o-sec: 0.8.8h+ds1-10+deb9u1
oldstable: 1.2.2+ds1-2+deb10u4
old-sec: 1.2.2+ds1-2+deb10u2
old-bpo: 1.2.16+ds1-2~bpo10+1
stable: 1.2.16+ds1-2
testing: 1.2.16+ds1-2
unstable: 1.2.16+ds1-2

versioned links

0.8.8h+ds1-10+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.2.2+ds1-2+deb10u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.2.2+ds1-2+deb10u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.2.16+ds1-2~bpo10+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.2.16+ds1-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

cacti (9 bugs: 0, 8, 1, 0)

action needed

Problems while searching for a new upstream version high

uscan had problems while searching for a new upstream version:

In watchfile debian/watch, reading webpage
  https://www.cacti.net/downloads/ failed: 308 Permanent Redirect

Created: 2021-07-09 Last update: 2021-09-25 21:35

A new upstream version is available: 1.2.18 high

A new upstream version 1.2.18 is available, you should consider packaging it.

Created: 2021-08-10 Last update: 2021-09-25 21:35

12 security issues in stretch high

There are 12 open security issues in stretch.

1 important issue:

CVE-2020-23226: Multiple Cross Site Scripting (XSS) vulneratiblities exist in Cacti 1.2.12 in (1) reports_admin.php, (2) data_queries.php, (3) data_input.php, (4) graph_templates.php, (5) graphs.php, (6) reports_admin.php, and (7) data_input.php.

10 issues postponed or untriaged:

CVE-2018-10060: (needs triaging) Cacti before 1.1.37 has XSS because it does not properly reject unintended characters, related to use of the sanitize_uri function in lib/functions.php.
CVE-2018-10061: (needs triaging) Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used).
CVE-2018-20723: (needs triaging) A cross-site scripting (XSS) vulnerability exists in color_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Name field for a Color.
CVE-2018-20725: (needs triaging) A cross-site scripting (XSS) vulnerability exists in graph_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Graph Vertical Label.
CVE-2018-20726: (needs triaging) A cross-site scripting (XSS) vulnerability exists in host.php (via tree.php) in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname field for Devices.
CVE-2019-11025: (needs triaging) In clearFilter() in utilities.php in Cacti before 1.2.3, no escaping occurs before printing out the value of the SNMP community string (SNMP Options) in the View poller cache, leading to XSS.
CVE-2020-13230: (needs triaging) In Cacti before 1.2.11, disabling a user account does not immediately invalidate any permissions granted to that account (e.g., permission to view logs).
CVE-2020-13231: (needs triaging) In Cacti before 1.2.11, auth_profile.php?action=edit allows CSRF for an admin email change.
CVE-2020-7106: (postponed; to be fixed through a stable update) Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php, graphs.php, graph_items.php, lib/api_automation.php, user_admin.php, and user_group_admin.php, as demonstrated by the description parameter in data_sources.php (a raw string from the database that is displayed by $header to trigger the XSS).
CVE-2020-7237: (needs triaging) Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacharacters in the Performance Boost Debug Log field of poller_automation.php. OS commands are executed when a new poller cycle begins. The attacker must be authenticated, and must have access to modify the Performance Settings of the product.

1 ignored issue:

CVE-2017-16641: lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators to execute arbitrary OS commands via the path_rrdtool parameter in an action=save request to settings.php.

Created: 2021-08-28 Last update: 2021-09-22 22:06

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2021-08-14 Last update: 2021-09-26 00:57

Depends on packages which need a new maintainer normal

The packages that cacti depends on which need a new maintainer are:

dh-linktree (#980413)
- Build-Depends: dh-linktree

Created: 2021-01-18 Last update: 2021-09-25 23:32

lintian reports 2 warnings normal

Lintian reports 2 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2021-01-27 Last update: 2021-01-27 03:01

3 low-priority security issues in buster low

There are 3 open security issues in buster.

3 issues left for the package maintainer to handle:

CVE-2020-23226: (needs triaging) Multiple Cross Site Scripting (XSS) vulneratiblities exist in Cacti 1.2.12 in (1) reports_admin.php, (2) data_queries.php, (3) data_input.php, (4) graph_templates.php, (5) graphs.php, (6) reports_admin.php, and (7) data_input.php.
CVE-2020-25706: (needs triaging) A cross-site scripting (XSS) vulnerability exists in templates_import.php (Cacti 1.2.13) due to Improper escaping of error message during template import preview in the xml_path field
CVE-2020-8813: (needs triaging) graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-02-19 Last update: 2021-09-22 22:06

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.0 instead of 4.5.0).

Created: 2020-11-17 Last update: 2021-08-18 14:02

news

[rss feed]

[2021-07-01] Accepted cacti 1.2.16+ds1-2~bpo10+1 (source) into buster-backports->backports-policy, buster-backports (Debian FTP Masters) (signed by: Paul Gevers)
[2021-01-23] Accepted cacti 1.2.2+ds1-2+deb10u4 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Paul Gevers)
[2021-01-20] cacti 1.2.16+ds1-2 MIGRATED to testing (Debian testing watch)
[2021-01-20] cacti 1.2.16+ds1-2 MIGRATED to testing (Debian testing watch)
[2021-01-17] Accepted cacti 1.2.16+ds1-2 (source) into unstable (Paul Gevers)
[2020-12-15] Accepted cacti 1.2.16+ds1-1~bpo10+1 (source) into buster-backports (Paul Gevers)
[2020-12-14] cacti 1.2.16+ds1-1 MIGRATED to testing (Debian testing watch)
[2020-12-14] cacti 1.2.16+ds1-1 MIGRATED to testing (Debian testing watch)
[2020-12-11] Accepted cacti 1.2.16+ds1-1 (source) into unstable (Paul Gevers)
[2020-11-13] Accepted cacti 1.2.15+ds1-2~bpo10+1 (source) into buster-backports (Paul Gevers)
[2020-11-09] cacti 1.2.15+ds1-2 MIGRATED to testing (Debian testing watch)
[2020-11-09] cacti 1.2.15+ds1-2 MIGRATED to testing (Debian testing watch)
[2020-11-06] Accepted cacti 1.2.15+ds1-2 (source) into unstable (Paul Gevers)
[2020-11-04] Accepted cacti 1.2.15+ds1-1 (source) into unstable (Paul Gevers)
[2020-09-07] Accepted cacti 1.2.14+ds1-1~bpo10+1 (source) into buster-backports (Paul Gevers)
[2020-08-29] cacti 1.2.14+ds1-1 MIGRATED to testing (Debian testing watch)
[2020-08-29] cacti 1.2.14+ds1-1 MIGRATED to testing (Debian testing watch)
[2020-08-27] Accepted cacti 1.2.14+ds1-1 (source) into unstable (Paul Gevers)
[2020-08-03] cacti 1.2.13+ds1-2 MIGRATED to testing (Debian testing watch)
[2020-08-02] Accepted cacti 1.2.12+ds1-1~bpo10+1 (source all) into buster-backports, buster-backports (Debian FTP Masters) (signed by: Paul Gevers)
[2020-07-31] Accepted cacti 1.2.13+ds1-2 (source) into unstable (Paul Gevers)
[2020-07-27] Accepted cacti 1.2.13+ds1-1 (source) into unstable (Paul Gevers)
[2020-07-09] Accepted cacti 1.2.2+ds1-2+deb10u3 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Paul Gevers)
[2020-05-13] cacti 1.2.12+ds1-1 MIGRATED to testing (Debian testing watch)
[2020-05-07] Accepted cacti 1.2.12+ds1-1 (source) into unstable (Paul Gevers)
[2020-04-07] Accepted cacti 1.2.11+ds1-1 (source) into unstable (Paul Gevers)
[2020-03-12] cacti 1.2.10+ds1-1 MIGRATED to testing (Debian testing watch)
[2020-03-08] Accepted cacti 1.2.10+ds1-1 (source) into unstable (Paul Gevers)
[2020-02-16] cacti 1.2.9+ds1-1 MIGRATED to testing (Debian testing watch)
[2020-02-13] Accepted cacti 1.2.9+ds1-1 (source) into unstable (Paul Gevers)

bugs [bug history graph]

all: 7 9
RC: 0
I&N: 6 8
M&W: 1
F&P: 0
patch: 1

links

homepage
lintian (0, 2)
buildd: logs, clang, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
l10n (93, 29)
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.2.16+ds1-2ubuntu1
3 bugs
patches for 1.2.16+ds1-2ubuntu1