Register | Log in

cacti

web interface for graphing of monitoring systems

Choose email to subscribe with

general

source: cacti (main)
version: 1.2.9+ds1-1
maintainer: Cacti Maintainer (archive) (DMD)
uploaders: Paul Gevers [DMD]
arch: all
std-ver: 4.3.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 0.8.8b+dfsg-8+deb8u6
o-o-sec: 0.8.8b+dfsg-8+deb8u9
oldstable: 0.8.8h+ds1-10+deb9u1
old-sec: 0.8.8h+ds1-10+deb9u1
stable: 1.2.2+ds1-2+deb10u2
stable-sec: 1.2.2+ds1-2+deb10u2
testing: 1.2.9+ds1-1
unstable: 1.2.9+ds1-1

versioned links

0.8.8b+dfsg-8+deb8u6: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.8.8b+dfsg-8+deb8u9: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.8.8h+ds1-10+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.2.2+ds1-2+deb10u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.2.9+ds1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

cacti (8 bugs: 0, 8, 0, 0)

action needed

3 security issues in buster high

There are 3 open security issues in buster.

2 important issues:

CVE-2020-8813: graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.
CVE-2020-7237: Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacharacters in the Performance Boost Debug Log field of poller_automation.php. OS commands are executed when a new poller cycle begins. The attacker must be authenticated, and must have access to modify the Performance Settings of the product.

1 issue skipped by the security teams:

CVE-2020-7106: Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php, graphs.php, graph_items.php, lib/api_automation.php, user_admin.php, and user_group_admin.php, as demonstrated by the description parameter in data_sources.php (a raw string from the database that is displayed by $header to trigger the XSS).

Please fix them.

Created: 2019-09-23 Last update: 2020-02-24 15:02

1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:

CVE-2020-8813: graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.

Please fix it.

Created: 2020-02-22 Last update: 2020-02-24 15:02

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2020-8813: graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.

Please fix it.

Created: 2020-02-22 Last update: 2020-02-24 15:02

10 security issues in stretch high

There are 10 open security issues in stretch.

1 important issue:

CVE-2020-7237: Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacharacters in the Performance Boost Debug Log field of poller_automation.php. OS commands are executed when a new poller cycle begins. The attacker must be authenticated, and must have access to modify the Performance Settings of the product.

9 issues skipped by the security teams:

CVE-2018-20726: A cross-site scripting (XSS) vulnerability exists in host.php (via tree.php) in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname field for Devices.
CVE-2018-20724: A cross-site scripting (XSS) vulnerability exists in pollers.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname for Data Collectors.
CVE-2018-20725: A cross-site scripting (XSS) vulnerability exists in graph_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Graph Vertical Label.
CVE-2018-20723: A cross-site scripting (XSS) vulnerability exists in color_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Name field for a Color.
CVE-2018-10060: Cacti before 1.1.37 has XSS because it does not properly reject unintended characters, related to use of the sanitize_uri function in lib/functions.php.
CVE-2018-10061: Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used).
CVE-2019-11025: In clearFilter() in utilities.php in Cacti before 1.2.3, no escaping occurs before printing out the value of the SNMP community string (SNMP Options) in the View poller cache, leading to XSS.
CVE-2020-7106: Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php, graphs.php, graph_items.php, lib/api_automation.php, user_admin.php, and user_group_admin.php, as demonstrated by the description parameter in data_sources.php (a raw string from the database that is displayed by $header to trigger the XSS).
CVE-2017-16641: lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators to execute arbitrary OS commands via the path_rrdtool parameter in an action=save request to settings.php.

Please fix them.

Created: 2017-11-08 Last update: 2020-02-24 15:02

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2020-02-26 Last update: 2020-02-26 14:00

8 ignored security issues in jessie low

There are 8 open security issues in jessie.

8 issues skipped by the security teams:

CVE-2018-20726: A cross-site scripting (XSS) vulnerability exists in host.php (via tree.php) in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname field for Devices.
CVE-2018-20724: A cross-site scripting (XSS) vulnerability exists in pollers.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname for Data Collectors.
CVE-2018-20725: A cross-site scripting (XSS) vulnerability exists in graph_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Graph Vertical Label.
CVE-2018-20723: A cross-site scripting (XSS) vulnerability exists in color_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Name field for a Color.
CVE-2018-10060: Cacti before 1.1.37 has XSS because it does not properly reject unintended characters, related to use of the sanitize_uri function in lib/functions.php.
CVE-2018-10061: Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used).
CVE-2017-1000031: SQL injection vulnerability in graph_templates_inputs.php in Cacti 0.8.8b allows remote attackers to execute arbitrary SQL commands via the graph_template_input_id and graph_template_id parameters.
CVE-2017-16641: lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators to execute arbitrary OS commands via the path_rrdtool parameter in an action=save request to settings.php.

Please fix them.

Created: 2017-07-19 Last update: 2020-02-24 15:02

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.5.0 instead of 4.3.0).

Created: 2019-07-08 Last update: 2020-02-14 06:36

news

[2020-02-16] cacti 1.2.9+ds1-1 MIGRATED to testing (Debian testing watch)
[2020-02-13] Accepted cacti 1.2.9+ds1-1 (source) into unstable (Debian FTP Masters) (signed by: Paul Gevers)
[2020-01-25] Accepted cacti 1.2.2+ds1-2+deb10u2 (source all) into proposed-updates->stable-new, proposed-updates (Hugo Lefeuvre)
[2020-01-20] Accepted cacti 0.8.8h+ds1-10+deb9u1 (source all) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Hugo Lefeuvre)
[2020-01-19] Accepted cacti 0.8.8h+ds1-10+deb9u1 (source all) into oldstable->embargoed, oldstable (Hugo Lefeuvre)
[2020-01-19] Accepted cacti 1.2.2+ds1-2+deb10u2 (source all) into stable->embargoed, stable (Hugo Lefeuvre)
[2020-01-18] Accepted cacti 0.8.8b+dfsg-8+deb8u9 (source all) into oldoldstable (Chris Lamb)
[2019-12-31] cacti 1.2.8+ds1-1 MIGRATED to testing (Debian testing watch)
[2019-12-31] cacti 1.2.8+ds1-1 MIGRATED to testing (Debian testing watch)
[2019-12-28] Accepted cacti 1.2.8+ds1-1 (source) into unstable (Paul Gevers)
[2019-12-11] Accepted cacti 0.8.8b+dfsg-8+deb8u8 (source all) into oldoldstable (Chris Lamb)
[2019-10-10] cacti 1.2.7+ds1-1 MIGRATED to testing (Debian testing watch)
[2019-10-07] Accepted cacti 1.2.7+ds1-1 (source) into unstable (Paul Gevers)
[2019-09-30] cacti 1.2.6+ds1-3 MIGRATED to testing (Debian testing watch)
[2019-09-30] cacti 1.2.6+ds1-3 MIGRATED to testing (Debian testing watch)
[2019-09-28] Accepted cacti 1.2.6+ds1-3 (source) into unstable (Paul Gevers)
[2019-09-19] Accepted cacti 1.2.6+ds1-2 (source) into unstable (Paul Gevers)
[2019-09-08] Accepted cacti 1.2.6+ds1-1 (source) into unstable (Paul Gevers)
[2019-07-30] Accepted cacti 1.2.2+ds1-2+deb10u1 (source) into proposed-updates->stable-new, proposed-updates (Paul Gevers)
[2019-07-18] cacti 1.2.4+ds1-2 MIGRATED to testing (Debian testing watch)
[2019-07-15] Accepted cacti 1.2.4+ds1-2 (source) into unstable (Paul Gevers)
[2019-07-15] Accepted cacti 1.2.4+ds1-1 (source) into unstable (Paul Gevers)
[2019-04-16] Accepted cacti 0.8.8b+dfsg-8+deb8u7 (source all) into oldstable (Chris Lamb)
[2019-04-13] cacti 1.2.2+ds1-2 MIGRATED to testing (Debian testing watch)
[2019-04-11] Accepted cacti 1.2.2+ds1-2 (source) into unstable (Paul Gevers) (signed by: Graham Inggs)
[2019-03-10] cacti 1.2.2+ds1-1 MIGRATED to testing (Debian testing watch)
[2019-02-27] Accepted cacti 1.2.2+ds1-1 (source) into unstable (Paul Gevers)
[2019-02-25] cacti 1.2.1+ds1-2 MIGRATED to testing (Debian testing watch)
[2019-02-14] Accepted cacti 1.2.1+ds1-2 (source) into unstable (Paul Gevers)
[2019-02-02] cacti 1.2.1+ds1-1 MIGRATED to testing (Debian testing watch)

1
2

bugs [bug history graph]

all: 7 9
RC: 1
I&N: 6 8
M&W: 0
F&P: 0
patch: 1
NC: 1

links

homepage
buildd: logs, clang, reproducibility
popcon
browse source code
edit tags
security tracker
screenshots
l10n (93, 24)
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.2.9+ds1-1ubuntu1
2 bugs
patches for 1.2.9+ds1-1ubuntu1

Debian Package Tracker — Copyright 2013-2018 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing