Register | Log in

cacti

web interface for graphing of monitoring systems

Choose email to subscribe with

general

source: cacti (main)
version: 1.2.16+ds1-2
maintainer: Cacti Maintainer (archive) (DMD)
uploaders: Paul Gevers [DMD]
arch: all
std-ver: 4.5.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 0.8.8b+dfsg-8+deb8u6
o-o-sec: 0.8.8b+dfsg-8+deb8u9
oldstable: 0.8.8h+ds1-10+deb9u1
old-sec: 0.8.8h+ds1-10+deb9u1
stable: 1.2.2+ds1-2+deb10u3
stable-sec: 1.2.2+ds1-2+deb10u2
stable-bpo: 1.2.16+ds1-1~bpo10+1
testing: 1.2.16+ds1-1
unstable: 1.2.16+ds1-2

versioned links

0.8.8b+dfsg-8+deb8u6: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.8.8b+dfsg-8+deb8u9: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.8.8h+ds1-10+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.2.2+ds1-2+deb10u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.2.2+ds1-2+deb10u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.2.16+ds1-1~bpo10+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.2.16+ds1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.2.16+ds1-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

cacti (9 bugs: 0, 8, 1, 0)

action needed

3 security issues in buster high

There are 3 open security issues in buster.

1 important issue:

CVE-2020-35701: An issue was discovered in Cacti 1.2.x through 1.2.16. A SQL injection vulnerability in data_debug.php allows remote authenticated attackers to execute arbitrary SQL commands via the site_id parameter. This can lead to remote code execution.

2 issues skipped by the security teams:

CVE-2020-25706: A cross-site scripting (XSS) vulnerability exists in templates_import.php (Cacti 1.2.13) due to Improper escaping of error message during template import preview in the xml_path field
CVE-2020-8813: graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.

Please fix them.

Created: 2019-09-23 Last update: 2021-01-18 07:35

1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:

CVE-2020-35701: An issue was discovered in Cacti 1.2.x through 1.2.16. A SQL injection vulnerability in data_debug.php allows remote authenticated attackers to execute arbitrary SQL commands via the site_id parameter. This can lead to remote code execution.

Please fix it.

Created: 2021-01-11 Last update: 2021-01-18 07:35

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2020-10-19 Last update: 2021-01-19 02:30

Depends on packages which need a new maintainer normal

The packages that cacti depends on which need a new maintainer are:

dh-linktree (#980413)
- Build-Depends: dh-linktree

Created: 2021-01-18 Last update: 2021-01-19 01:37

13 ignored security issues in stretch low

There are 13 open security issues in stretch.

13 issues skipped by the security teams:

CVE-2017-16641: lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators to execute arbitrary OS commands via the path_rrdtool parameter in an action=save request to settings.php.
CVE-2018-10060: Cacti before 1.1.37 has XSS because it does not properly reject unintended characters, related to use of the sanitize_uri function in lib/functions.php.
CVE-2018-10061: Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used).
CVE-2018-20723: A cross-site scripting (XSS) vulnerability exists in color_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Name field for a Color.
CVE-2018-20724: A cross-site scripting (XSS) vulnerability exists in pollers.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname for Data Collectors.
CVE-2018-20725: A cross-site scripting (XSS) vulnerability exists in graph_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Graph Vertical Label.
CVE-2018-20726: A cross-site scripting (XSS) vulnerability exists in host.php (via tree.php) in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname field for Devices.
CVE-2019-11025: In clearFilter() in utilities.php in Cacti before 1.2.3, no escaping occurs before printing out the value of the SNMP community string (SNMP Options) in the View poller cache, leading to XSS.
CVE-2020-13230: In Cacti before 1.2.11, disabling a user account does not immediately invalidate any permissions granted to that account (e.g., permission to view logs).
CVE-2020-13231: In Cacti before 1.2.11, auth_profile.php?action=edit allows CSRF for an admin email change.
CVE-2020-25706: A cross-site scripting (XSS) vulnerability exists in templates_import.php (Cacti 1.2.13) due to Improper escaping of error message during template import preview in the xml_path field
CVE-2020-7106: Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php, graphs.php, graph_items.php, lib/api_automation.php, user_admin.php, and user_group_admin.php, as demonstrated by the description parameter in data_sources.php (a raw string from the database that is displayed by $header to trigger the XSS).
CVE-2020-7237: Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacharacters in the Performance Boost Debug Log field of poller_automation.php. OS commands are executed when a new poller cycle begins. The attacker must be authenticated, and must have access to modify the Performance Settings of the product.

Please fix them.

Created: 2017-11-08 Last update: 2021-01-18 07:35

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.5.1 instead of 4.5.0).

Created: 2020-11-17 Last update: 2021-01-18 07:04

testing migrations

excuses:
- Migration status for cacti (1.2.16+ds1-1 to 1.2.16+ds1-2): Waiting for test results, another package or too young (no action required now - check later)
- Issues preventing migration:
- Too young, only 1 of 2 days old
- Additional info:
- Piuparts tested OK - https://piuparts.debian.org/sid/source/c/cacti.html
- Required age reduced by 3 days because of autopkgtest
- Not considered

news

[2021-01-17] Accepted cacti 1.2.16+ds1-2 (source) into unstable (Paul Gevers)
[2020-12-15] Accepted cacti 1.2.16+ds1-1~bpo10+1 (source) into buster-backports (Paul Gevers)
[2020-12-14] cacti 1.2.16+ds1-1 MIGRATED to testing (Debian testing watch)
[2020-12-14] cacti 1.2.16+ds1-1 MIGRATED to testing (Debian testing watch)
[2020-12-11] Accepted cacti 1.2.16+ds1-1 (source) into unstable (Paul Gevers)
[2020-11-13] Accepted cacti 1.2.15+ds1-2~bpo10+1 (source) into buster-backports (Paul Gevers)
[2020-11-09] cacti 1.2.15+ds1-2 MIGRATED to testing (Debian testing watch)
[2020-11-09] cacti 1.2.15+ds1-2 MIGRATED to testing (Debian testing watch)
[2020-11-06] Accepted cacti 1.2.15+ds1-2 (source) into unstable (Paul Gevers)
[2020-11-04] Accepted cacti 1.2.15+ds1-1 (source) into unstable (Paul Gevers)
[2020-09-07] Accepted cacti 1.2.14+ds1-1~bpo10+1 (source) into buster-backports (Paul Gevers)
[2020-08-29] cacti 1.2.14+ds1-1 MIGRATED to testing (Debian testing watch)
[2020-08-29] cacti 1.2.14+ds1-1 MIGRATED to testing (Debian testing watch)
[2020-08-27] Accepted cacti 1.2.14+ds1-1 (source) into unstable (Paul Gevers)
[2020-08-03] cacti 1.2.13+ds1-2 MIGRATED to testing (Debian testing watch)
[2020-08-02] Accepted cacti 1.2.12+ds1-1~bpo10+1 (source all) into buster-backports, buster-backports (Debian FTP Masters) (signed by: Paul Gevers)
[2020-07-31] Accepted cacti 1.2.13+ds1-2 (source) into unstable (Paul Gevers)
[2020-07-27] Accepted cacti 1.2.13+ds1-1 (source) into unstable (Paul Gevers)
[2020-07-09] Accepted cacti 1.2.2+ds1-2+deb10u3 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Paul Gevers)
[2020-05-13] cacti 1.2.12+ds1-1 MIGRATED to testing (Debian testing watch)
[2020-05-07] Accepted cacti 1.2.12+ds1-1 (source) into unstable (Paul Gevers)
[2020-04-07] Accepted cacti 1.2.11+ds1-1 (source) into unstable (Paul Gevers)
[2020-03-12] cacti 1.2.10+ds1-1 MIGRATED to testing (Debian testing watch)
[2020-03-08] Accepted cacti 1.2.10+ds1-1 (source) into unstable (Paul Gevers)
[2020-02-16] cacti 1.2.9+ds1-1 MIGRATED to testing (Debian testing watch)
[2020-02-13] Accepted cacti 1.2.9+ds1-1 (source) into unstable (Paul Gevers)
[2020-01-25] Accepted cacti 1.2.2+ds1-2+deb10u2 (source all) into proposed-updates->stable-new, proposed-updates (Hugo Lefeuvre)
[2020-01-20] Accepted cacti 0.8.8h+ds1-10+deb9u1 (source all) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Hugo Lefeuvre)
[2020-01-19] Accepted cacti 0.8.8h+ds1-10+deb9u1 (source all) into oldstable->embargoed, oldstable (Hugo Lefeuvre)
[2020-01-19] Accepted cacti 1.2.2+ds1-2+deb10u2 (source all) into stable->embargoed, stable (Hugo Lefeuvre)

1
2

bugs [bug history graph]

all: 7 9
RC: 0
I&N: 6 8
M&W: 1
F&P: 0
patch: 1

links

homepage
lintian
buildd: logs, clang, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
l10n (93, 29)
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.2.10+ds1-1ubuntu1
3 bugs
patches for 1.2.10+ds1-1ubuntu1

Debian Package Tracker — Copyright 2013-2018 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing