Cacti (home)ForumsRepositoryDocumentation
Cacti: offical forums and support
It is currently Thu Oct 23, 2014 4:16 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 25 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: Cacti 0.8.7b and 0.8.6k release - IMPORTANT SECURITY UPDATES
PostPosted: Tue Feb 12, 2008 5:39 am 
Offline
Cacti Guru User
User avatar

Joined: Fri Sep 19, 2003 8:36 am
Posts: 2326
Location: Sophia-Antipolis, France
Important Security Fixes for Cacti

Multiple security vulnerabilities have been discovered in Cacti's web interface:
  • XSS vulnerabilities
  • Path disclosure vulnerabilities
  • SQL injection vulnerabilities
  • HTTP response splitting vulnerabilities
All the above issues have been addressed in a new release of Cacti:
Patches for the following versions are available at:

_________________

HOWTOs :
Templates :


Top
 Profile  
 
 Post subject:
PostPosted: Tue Feb 12, 2008 6:19 am 
Offline
Cacti Guru User
User avatar

Joined: Mon Oct 16, 2006 5:57 am
Posts: 1876
Location: United Kingdom
Will there be any pre-patched files for Windows users with 0.8.7a ?

Thanks

_________________
Quote:
Cacti Version 0.8.8b
Cacti OS Ubuntu LTS
RRDTool Version RRDTool 1.4.7
Poller Information
Type SPINE 0.8.8b


Top
 Profile  
 
 Post subject:
PostPosted: Tue Feb 12, 2008 7:12 am 
Offline
Developer
User avatar

Joined: Tue May 14, 2002 5:08 pm
Posts: 14861
Location: MI, USA
Please note that Jimmy will have to release a corresponding Plugin Architecture to go with this release.

Regards,

TheWitness

_________________
True understanding begins only when we realize how little we truly understand...

Life is an adventure, let yours begin with Cacti!

Author of MacTrack, Boost, CLog, SpikeKill, Platform RTM, DSStats, maintainer of Spine, lot's of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
Gandalfs Official Debugging Help
Central Plugin Repository
Central Templates Repository


Top
 Profile  
 
 Post subject:
PostPosted: Tue Feb 12, 2008 7:13 am 
Offline
Cacti Guru User
User avatar

Joined: Mon Oct 16, 2006 5:57 am
Posts: 1876
Location: United Kingdom
Thanks Larry - I was going to ask about that as well...

_________________
Quote:
Cacti Version 0.8.8b
Cacti OS Ubuntu LTS
RRDTool Version RRDTool 1.4.7
Poller Information
Type SPINE 0.8.8b


Top
 Profile  
 
 Post subject:
PostPosted: Tue Feb 12, 2008 7:16 am 
Offline
Developer
User avatar

Joined: Tue May 14, 2002 5:08 pm
Posts: 14861
Location: MI, USA
Jimmy is pretty busy, but should be able to nock this out. If not, one of us can package it.

Regards,

TheWitness

_________________
True understanding begins only when we realize how little we truly understand...

Life is an adventure, let yours begin with Cacti!

Author of MacTrack, Boost, CLog, SpikeKill, Platform RTM, DSStats, maintainer of Spine, lot's of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
Gandalfs Official Debugging Help
Central Plugin Repository
Central Templates Repository


Top
 Profile  
 
 Post subject:
PostPosted: Tue Feb 12, 2008 2:55 pm 
Offline
Cacti Guru User
User avatar

Joined: Thu Sep 16, 2004 5:53 am
Posts: 4631
Location: United Kingdom
To clarify - are the patches above to fix the specific security issues or to upgrade to 0.8.7b?

It might be easier for me to stick with 0.8.7a at the moment since my Cacti is pretty hacked about in places :oops:

_________________
Weathermap 0.97c is out! & QuickTree 0.2. Superlinks is over there now.
Some Other Cacti tweaks, including strip-graphs, icons and snmp/netflow stuff.
(Let me know if you have UK DevOps or Network Ops opportunities, too!)

Security Notice: CVE-2013-2618 Network Weathermap 0.97a - editor security issues

My System: CentOS5 64 bit, 4 2GHz cores (Intel E5405), 8GB, Cacti 0.8.7e, Spine 0.8.7e, Weathermap 0.98dev, Superlinks 0.8, ReportIt 0.7.1, THold 0.3.9hj, Explain 0.1, Uptime 0.4hj, Realtime 0.36hj, QuickTree 0.2 - 17000 DS, 320 Hosts. 150 seconds poll.


Top
 Profile  
 
 Post subject:
PostPosted: Tue Feb 12, 2008 3:08 pm 
Offline
Developer/Forum Admin
User avatar

Joined: Mon Nov 17, 2003 6:35 pm
Posts: 5904
Location: Michigan, USA
Patches are just for security issues.

_________________
Tony Roman
Experience is what causes a person to make new mistakes instead of old ones.
There are only 3 way to complete a project: Good, Fast or Cheap, pick two.
With age comes wisdom, what you choose to do with it determines whether or not you are wise.


Top
 Profile  
 
 Post subject:
PostPosted: Tue Feb 12, 2008 3:11 pm 
Offline
Cacti Guru User
User avatar

Joined: Fri Sep 19, 2003 8:36 am
Posts: 2326
Location: Sophia-Antipolis, France
Howie wrote:
It might be easier for me to stick with 0.8.7a at the moment since my Cacti is pretty hacked about in places :oops:

Same for me... I upgraded by hand my 0.8.6j & 0.8.7a servers this morning.

_________________

HOWTOs :
Templates :


Top
 Profile  
 
 Post subject:
PostPosted: Tue Feb 12, 2008 8:39 pm 
Offline
Developer
User avatar

Joined: Tue May 14, 2002 5:08 pm
Posts: 14861
Location: MI, USA
Howie wrote:
To clarify - are the patches above to fix the specific security issues or to upgrade to 0.8.7b?

It might be easier for me to stick with 0.8.7a at the moment since my Cacti is pretty hacked about in places :oops:


Howie,

Is there anything I can do to stop the bleeding on your part?

Larry

_________________
True understanding begins only when we realize how little we truly understand...

Life is an adventure, let yours begin with Cacti!

Author of MacTrack, Boost, CLog, SpikeKill, Platform RTM, DSStats, maintainer of Spine, lot's of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
Gandalfs Official Debugging Help
Central Plugin Repository
Central Templates Repository


Top
 Profile  
 
 Post subject:
PostPosted: Wed Feb 13, 2008 2:58 am 
Offline
Cacti Guru User
User avatar

Joined: Fri Sep 19, 2003 8:36 am
Posts: 2326
Location: Sophia-Antipolis, France
Plugin Architecture 2.0 for Cacti 0.8.7b is out : http://forums.cacti.net/viewtopic.php?t=25766

_________________

HOWTOs :
Templates :


Top
 Profile  
 
 Post subject:
PostPosted: Wed Feb 13, 2008 3:26 am 
Offline
Cacti Guru User
User avatar

Joined: Thu Sep 16, 2004 5:53 am
Posts: 4631
Location: United Kingdom
TheWitness wrote:
Is there anything I can do to stop the bleeding on your part?

Larry


Nope. Like fmangeant, I applied the patches, although I had to make some of the changes manually. Luckily there aren't too many of them :-)

Looking at the 'b' changelog, I think quite a few of my tweaks are in the main code now, so I need to work out what's left, and merge that back into 'b' I guess, so I can upgrade properly. It's all UI sanding and polishing though, nothing structural.

_________________
Weathermap 0.97c is out! & QuickTree 0.2. Superlinks is over there now.
Some Other Cacti tweaks, including strip-graphs, icons and snmp/netflow stuff.
(Let me know if you have UK DevOps or Network Ops opportunities, too!)

Security Notice: CVE-2013-2618 Network Weathermap 0.97a - editor security issues

My System: CentOS5 64 bit, 4 2GHz cores (Intel E5405), 8GB, Cacti 0.8.7e, Spine 0.8.7e, Weathermap 0.98dev, Superlinks 0.8, ReportIt 0.7.1, THold 0.3.9hj, Explain 0.1, Uptime 0.4hj, Realtime 0.36hj, QuickTree 0.2 - 17000 DS, 320 Hosts. 150 seconds poll.


Top
 Profile  
 
 Post subject:
PostPosted: Wed Feb 13, 2008 6:45 am 
Offline
Developer
User avatar

Joined: Tue May 14, 2002 5:08 pm
Posts: 14861
Location: MI, USA
Well, please let me know if there is anything we missed. We can do 0.8.7b patches...

Larry

_________________
True understanding begins only when we realize how little we truly understand...

Life is an adventure, let yours begin with Cacti!

Author of MacTrack, Boost, CLog, SpikeKill, Platform RTM, DSStats, maintainer of Spine, lot's of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
Gandalfs Official Debugging Help
Central Plugin Repository
Central Templates Repository


Top
 Profile  
 
 Post subject:
PostPosted: Thu Feb 14, 2008 9:01 am 
Offline
Cacti Guru User
User avatar

Joined: Mon Oct 16, 2006 5:57 am
Posts: 1876
Location: United Kingdom
HELP !!!

I managed to get the PIA working on 0.8.7b, but now have

CMDPHP: Poller[0] ERROR: A DB Exec Failed!, Error:'1064', SQL:"REPLACE INTO settings (name, value) VALUES ('url_path', 'Cacti\')'

In the logs every 10 seconds - I have set the url_path variable in plugins.php as suggested, and everything seems to work, with the exception of this error.

Any ideas ?

_________________
Quote:
Cacti Version 0.8.8b
Cacti OS Ubuntu LTS
RRDTool Version RRDTool 1.4.7
Poller Information
Type SPINE 0.8.8b


Top
 Profile  
 
 Post subject:
PostPosted: Thu Feb 14, 2008 9:02 am 
Offline
Cacti Guru User
User avatar

Joined: Fri Sep 19, 2003 8:36 am
Posts: 2326
Location: Sophia-Antipolis, France
Hi

please post in the plugin arch forum.

_________________

HOWTOs :
Templates :


Top
 Profile  
 
 Post subject:
PostPosted: Thu Feb 14, 2008 9:15 am 
Offline
Cacti User

Joined: Mon Jul 26, 2004 2:50 pm
Posts: 64
Location: Cincinnati, OH
Am I safe to assume those of us using web-basic authentication exclusively are safe from the security issues? (Assuming of course that authenticated users are trustworthy :wink: )

Andrew


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 25 posts ]  Go to page 1, 2  Next

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron

Protected by Anti-Spam ACP Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group