|
|
| Author |
Message |
fmangeant
Cacti Guru User
Joined: 19 Sep 2003
Posts: 2325
Location: Sophia-Antipolis, France
|
 Posted: Tue Feb 12, 2008 5:39 am Post subject: Cacti 0.8.7b and 0.8.6k release - IMPORTANT SECURITY UPDATES |
 |
|
Important Security Fixes for Cacti
Multiple security vulnerabilities have been discovered in Cacti's web interface:
- XSS vulnerabilities
- Path disclosure vulnerabilities
- SQL injection vulnerabilities
- HTTP response splitting vulnerabilities
All the above issues have been addressed in a new release of Cacti:
Patches for the following versions are available at:
|
|
| Back to top |
|
 |
mcutting
Cacti Pro User
Joined: 16 Oct 2006
Posts: 954
|
| Posted: Tue Feb 12, 2008 6:19 am Post subject: |
|
|
Will there be any pre-patched files for Windows users with 0.8.7a ?
Thanks |
|
| Back to top |
|
|
TheWitness
Developer
Joined: 14 May 2002
Posts: 9450
Location: MI, USA
|
| Posted: Tue Feb 12, 2008 7:12 am Post subject: |
|
|
Please note that Jimmy will have to release a corresponding Plugin Architecture to go with this release.
Regards,
TheWitness |
|
| Back to top |
|
|
mcutting
Cacti Pro User
Joined: 16 Oct 2006
Posts: 954
|
| Posted: Tue Feb 12, 2008 7:13 am Post subject: |
|
|
| Thanks Larry - I was going to ask about that as well... |
|
| Back to top |
|
|
TheWitness
Developer
Joined: 14 May 2002
Posts: 9450
Location: MI, USA
|
| Posted: Tue Feb 12, 2008 7:16 am Post subject: |
|
|
Jimmy is pretty busy, but should be able to nock this out. If not, one of us can package it.
Regards,
TheWitness |
|
| Back to top |
|
|
Howie
Cacti Guru User
Joined: 16 Sep 2004
Posts: 2037
Location: United Kingdom
|
| Posted: Tue Feb 12, 2008 2:55 pm Post subject: |
|
|
To clarify - are the patches above to fix the specific security issues or to upgrade to 0.8.7b?
It might be easier for me to stick with 0.8.7a at the moment since my Cacti is pretty hacked about in places  |
|
| Back to top |
|
|
rony
Developer/Forum Admin
Joined: 17 Nov 2003
Posts: 5392
Location: Wisconsin, USA
|
| Posted: Tue Feb 12, 2008 3:08 pm Post subject: |
|
|
| Patches are just for security issues. |
|
| Back to top |
|
|
fmangeant
Cacti Guru User
Joined: 19 Sep 2003
Posts: 2325
Location: Sophia-Antipolis, France
|
| Posted: Tue Feb 12, 2008 3:11 pm Post subject: |
|
|
| Howie wrote: | | It might be easier for me to stick with 0.8.7a at the moment since my Cacti is pretty hacked about in places |
Same for me... I upgraded by hand my 0.8.6j & 0.8.7a servers this morning. |
|
| Back to top |
|
|
TheWitness
Developer
Joined: 14 May 2002
Posts: 9450
Location: MI, USA
|
| Posted: Tue Feb 12, 2008 8:39 pm Post subject: |
|
|
| Howie wrote: | To clarify - are the patches above to fix the specific security issues or to upgrade to 0.8.7b?
It might be easier for me to stick with 0.8.7a at the moment since my Cacti is pretty hacked about in places |
Howie,
Is there anything I can do to stop the bleeding on your part?
Larry |
|
| Back to top |
|
|
fmangeant
Cacti Guru User
Joined: 19 Sep 2003
Posts: 2325
Location: Sophia-Antipolis, France
|
|
| Back to top |
|
|
Howie
Cacti Guru User
Joined: 16 Sep 2004
Posts: 2037
Location: United Kingdom
|
| Posted: Wed Feb 13, 2008 3:26 am Post subject: |
|
|
| TheWitness wrote: |
Is there anything I can do to stop the bleeding on your part?
Larry |
Nope. Like fmangeant, I applied the patches, although I had to make some of the changes manually. Luckily there aren't too many of them 
Looking at the 'b' changelog, I think quite a few of my tweaks are in the main code now, so I need to work out what's left, and merge that back into 'b' I guess, so I can upgrade properly. It's all UI sanding and polishing though, nothing structural. |
|
| Back to top |
|
|
TheWitness
Developer
Joined: 14 May 2002
Posts: 9450
Location: MI, USA
|
| Posted: Wed Feb 13, 2008 6:45 am Post subject: |
|
|
Well, please let me know if there is anything we missed. We can do 0.8.7b patches...
Larry |
|
| Back to top |
|
|
mcutting
Cacti Pro User
Joined: 16 Oct 2006
Posts: 954
|
| Posted: Thu Feb 14, 2008 9:01 am Post subject: |
|
|
HELP !!!
I managed to get the PIA working on 0.8.7b, but now have
CMDPHP: Poller[0] ERROR: A DB Exec Failed!, Error:'1064', SQL:"REPLACE INTO settings (name, value) VALUES ('url_path', 'Cacti\')'
In the logs every 10 seconds - I have set the url_path variable in plugins.php as suggested, and everything seems to work, with the exception of this error.
Any ideas ? |
|
| Back to top |
|
|
fmangeant
Cacti Guru User
Joined: 19 Sep 2003
Posts: 2325
Location: Sophia-Antipolis, France
|
| Posted: Thu Feb 14, 2008 9:02 am Post subject: |
|
|
Hi
please post in the plugin arch forum. |
|
| Back to top |
|
|
andrew2
Cacti User
Joined: 26 Jul 2004
Posts: 64
Location: Cincinnati, OH
|
| Posted: Thu Feb 14, 2008 9:15 am Post subject: |
|
|
Am I safe to assume those of us using web-basic authentication exclusively are safe from the security issues? (Assuming of course that authenticated users are trustworthy  )
Andrew |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Register
Profile
Log in to check your private messages
Log in
