openSUSE: 2022:0145-1 moderate: cacti, cacti-spine | LinuxSecurity.com

   openSUSE Security Update: Security update for cacti, cacti-spine
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2022:0145-1
Rating:             moderate
References:         #1192408 #1196692 
Cross-References:   CVE-2022-0730
CVSS scores:
                    CVE-2022-0730 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:
                    openSUSE Backports SLE-15-SP3
______________________________________________________________________________

   An update that solves one vulnerability and has one errata
   is now available.

Description:

   This update for cacti, cacti-spine fixes the following issues:

   cacti-spine was updated to 1.2.20:

     * Add support for newer versions of MySQL/MariaDB
     * When checking for uptime of device, don't assume a non-response is
       always fatal
     * Fix description and command trunctation issues
     * Improve spine performance when only one snmp agent port is in use

   cacti-spine 1.2.19:

     * Fix 1ssues with polling loop may skip some datasources
     * Fix ping no longer works due to hostname changes
     * Fix RRD steps are not always calculated correctly
     * Fix unable to build when DES no longer supported
     * Fix IPv6 devices are not properly parsed
     * Reduce a number of compiler warnings
     * Fix compiler warnings due to lack of return in thread_mutex_trylock
     * Fix Spine will not look at non-timetics uptime when sysUpTimeInstance
       overflows
     * Improve performance of Cacti poller on heavily loaded systems

   cacti-spine 1.2.20:

     * Add support for newer versions of MySQL/MariaDB
     * When checking for uptime of device, don't assume a non-response is
       always fatal
     * Fix description and command trunctation issues
     * Improve spine performance when only one snmp agent port is in use

   cacti was updated to 1.2.20:

     * Security fix for CVE-2022-0730, boo#1196692 Under certain ldap
       conditions, Cacti authentication can be bypassed with certain
       credential types.
     * Security fix: Device, Graph, Graph Template, and Graph Items may be
       vulnerable to XSS issues
     * Security fix: Lockout policies are not properly applied to LDAP and
       Domain Users
     * Security fix: When using 'remember me' option, incorrect realm may be
       selected
     * Security fix: User and Group maintenance are vulnerable to SQL attacks
     * Security fix: Color Templates are vulnerable to XSS attack
     * Features:
       * When creating a Data Source Profile, allow additional choices for
         Heartbeat
       * Change select all options to use Font Awesome icons
       * Improve spine performance by storing the total number of system
         snmp_ports in use
       * Prevent Template User Accounts from being Removed
       * When managing by users, allow filtering by Realm
       * Allow plugins to supply template account names
       * When viewing logs, additional message types should be filterable
       * When creating a Graph Template Item, allow filtering by Data Template
       * Allow language handler to be selected via UI
       * Updated Device packages for Synology, Citrix NetScaler, Cisco
         ASA/Cisco
       * Add Advanced Ping Graph Template to initial Installable templates
       * Add LDAP Debug Mode option
       * Allow Reports to include devices not on a Tree
       * Allow Basic Authentication to display custom failure message
     * Fix: When replicating data during installation/upgrade, system may
       appear to hang
     * Fix: Graph Template Items may have duplicated entries
     * Fix: Unable to Save Graph Settings
     * Fix: Script Server may crash if an OID is missing or unavailable
     * Fix: When system-wide polling is disabled, remote pollers may fail to
       sync changed settings
     * Fix: When updating poller name, duplicate name protection may be over
       zealous
     * Fix: Titles may show "Missing Datasource" incorectly
     * Fix: Checking for MIB Cache can cause crashes
     * Fix: Polling cycles may not always complete as expected
     * Fix: When viewing graph data, non-numeric values may appear
     * Fix: Utilities view has calculation errors when there are no data
       sources
     * Fix: When editing Reports, drag and drop may not function as intended
     * Fix: When data drive is full, viewing a Graph can result in errors
     * Various other bug fixes

   cacti 1.2.19:

     * Further fixes for grave character security protection (boo#1192408)
     * Fix Over aggressive escaping causing menu visibility issues on Create
       Device page
     * Add SHA256 and AES256 security levels for SNMP polling
     * Import graph template(Preview Only) show color_id new value as a blank
       area
     * Fix Editing graphs errors due to missing sequence
     * Fix 2hen hovering over a Tree Graph, row shows same highlighting as
       Graph Edit screen
     * Fix 2hen RealTime is not active, console errors may appear
     * Fix race conditions may occur when multiple RRDtool processes are
       running
     * Fix errors creating graphs from templates
     * Fix errors when duplicating reports
     * Fix Boost may be blocked by overflowing poller_output table
     * Fix Template import may be blocked due to unmet dependency warnings
       with snmp ports
     * Fix Newer MySQL versions may error if committing a transaction when
       not in one
     * Fix SNMP Agent may not find a cache item
     * Fix Correct issues running under PHP 8.x
     * Fix When polling is disabled, boost may crash and creates many arch
       tables
     * Fix When poller runs, memory tables may not always be present
     * Fix Timezones may sometimes be incorrectly calculated
     * Fix Allow monitoring IPv6 with interface graphs
     * Fix When a data source uses a Data Input Method, those without a
       mapping should be flagged
     * Fix When RRDfile is not yet created, errors may appear when displaying
       the graph
     * Fix Cacti missing key indexes that result in Preset pages slowdowns
     * Fix Data Sources page shows no name when Data Source has no name cache
     * Fix db_update_table function can not alter table from signed to
       unsigned
     * Fix data remains in poller_output table even if it's flushed to rrd
       files
     * Fix Parameter list for lib/database.php:db_connect_real() is not
       correct in 3 places
     * Fix Offset is a reserved word in MariaDB 10.6 affecting Report
     * Fix Rendering large trees slowed due to lack of permission caching
     * Fix Error on interpretation of snmpUtime, when to big
     * Fix Applying right axis formatting creates an error-image
     * Fix Unable to Save Graph Settings from the Graphs pages
     * Fix Graph Template Cache is nullified too often when Graph Automation
       is running
     * Fix When Adding a Data Query to a Device, no Progress Spinner is shown
     * Fix New Browser Breaks Plugins that depend on non UTC date time data
     * Fix errors when testing remote poller connectivity
     * Fix errors when renaming poller
     * Fix Removing spikes by Variance does not appear to be working beyond
       the first RRA
     * Fix LDAP API lacks timeout options leading to bad login experiences
     * Add a normal/wrap class for general use
     * Limit File Types available for Template Import operations
     * Fix Cacti does not provide an option of providing a client side
       certificate for LDAP/AD authentication
     * Support Stronger Encryption Available Starting in Net-SNMP v5.8
     * Allow Cacti to use multiple possible LDAP servers
     * Add a 15 minute polling/sampling interval
     * Provide additional admin email notifications
     * Add warnings for undesired changes to plugin hook return values
     * When creating a Graph, make testing the Data Sources optional by
       Template
     * Update phpseclib to 2.0.33
     * Update jstree.js to 3.3.12
     * Improve performance of Cacti poller on heavily loaded systems
     * MariaDB recommendations need some tuning for recent updates


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP3:

      zypper in -t patch openSUSE-2022-145=1



Package List:

   - openSUSE Backports SLE-15-SP3 (aarch64 i586 ppc64le s390x x86_64):

      cacti-spine-1.2.20-bp153.2.9.1

   - openSUSE Backports SLE-15-SP3 (noarch):

      cacti-1.2.20-bp153.2.9.1


References:

   https://www.suse.com/security/cve/CVE-2022-0730.html
   https://bugzilla.suse.com/1192408
   https://bugzilla.suse.com/1196692

openSUSE: 2022:0145-1 moderate: cacti, cacti-spine

May 24, 2022
An update that solves one vulnerability and has one errata is now available

Description

This update for cacti, cacti-spine fixes the following issues: cacti-spine was updated to 1.2.20: * Add support for newer versions of MySQL/MariaDB * When checking for uptime of device, don't assume a non-response is always fatal * Fix description and command trunctation issues * Improve spine performance when only one snmp agent port is in use cacti-spine 1.2.19: * Fix 1ssues with polling loop may skip some datasources * Fix ping no longer works due to hostname changes * Fix RRD steps are not always calculated correctly * Fix unable to build when DES no longer supported * Fix IPv6 devices are not properly parsed * Reduce a number of compiler warnings * Fix compiler warnings due to lack of return in thread_mutex_trylock * Fix Spine will not look at non-timetics uptime when sysUpTimeInstance overflows * Improve performance of Cacti poller on heavily loaded systems cacti-spine 1.2.20: * Add support for newer versions of MySQL/MariaDB * When checking for uptime of device, don't assume a non-response is always fatal * Fix description and command trunctation issues * Improve spine performance when only one snmp agent port is in use cacti was updated to 1.2.20: * Security fix for CVE-2022-0730, boo#1196692 Under certain ldap conditions, Cacti authentication can be bypassed with certain credential types. * Security fix: Device, Graph, Graph Template, and Graph Items may be vulnerable to XSS issues * Security fix: Lockout policies are not properly applied to LDAP and Domain Users * Security fix: When using 'remember me' option, incorrect realm may be selected * Security fix: User and Group maintenance are vulnerable to SQL attacks * Security fix: Color Templates are vulnerable to XSS attack * Features: * When creating a Data Source Profile, allow additional choices for Heartbeat * Change select all options to use Font Awesome icons * Improve spine performance by storing the total number of system snmp_ports in use * Prevent Template User Accounts from being Removed * When managing by users, allow filtering by Realm * Allow plugins to supply template account names * When viewing logs, additional message types should be filterable * When creating a Graph Template Item, allow filtering by Data Template * Allow language handler to be selected via UI * Updated Device packages for Synology, Citrix NetScaler, Cisco ASA/Cisco * Add Advanced Ping Graph Template to initial Installable templates * Add LDAP Debug Mode option * Allow Reports to include devices not on a Tree * Allow Basic Authentication to display custom failure message * Fix: When replicating data during installation/upgrade, system may appear to hang * Fix: Graph Template Items may have duplicated entries * Fix: Unable to Save Graph Settings * Fix: Script Server may crash if an OID is missing or unavailable * Fix: When system-wide polling is disabled, remote pollers may fail to sync changed settings * Fix: When updating poller name, duplicate name protection may be over zealous * Fix: Titles may show "Missing Datasource" incorectly * Fix: Checking for MIB Cache can cause crashes * Fix: Polling cycles may not always complete as expected * Fix: When viewing graph data, non-numeric values may appear * Fix: Utilities view has calculation errors when there are no data sources * Fix: When editing Reports, drag and drop may not function as intended * Fix: When data drive is full, viewing a Graph can result in errors * Various other bug fixes cacti 1.2.19: * Further fixes for grave character security protection (boo#1192408) * Fix Over aggressive escaping causing menu visibility issues on Create Device page * Add SHA256 and AES256 security levels for SNMP polling * Import graph template(Preview Only) show color_id new value as a blank area * Fix Editing graphs errors due to missing sequence * Fix 2hen hovering over a Tree Graph, row shows same highlighting as Graph Edit screen * Fix 2hen RealTime is not active, console errors may appear * Fix race conditions may occur when multiple RRDtool processes are running * Fix errors creating graphs from templates * Fix errors when duplicating reports * Fix Boost may be blocked by overflowing poller_output table * Fix Template import may be blocked due to unmet dependency warnings with snmp ports * Fix Newer MySQL versions may error if committing a transaction when not in one * Fix SNMP Agent may not find a cache item * Fix Correct issues running under PHP 8.x * Fix When polling is disabled, boost may crash and creates many arch tables * Fix When poller runs, memory tables may not always be present * Fix Timezones may sometimes be incorrectly calculated * Fix Allow monitoring IPv6 with interface graphs * Fix When a data source uses a Data Input Method, those without a mapping should be flagged * Fix When RRDfile is not yet created, errors may appear when displaying the graph * Fix Cacti missing key indexes that result in Preset pages slowdowns * Fix Data Sources page shows no name when Data Source has no name cache * Fix db_update_table function can not alter table from signed to unsigned * Fix data remains in poller_output table even if it's flushed to rrd files * Fix Parameter list for lib/database.php:db_connect_real() is not correct in 3 places * Fix Offset is a reserved word in MariaDB 10.6 affecting Report * Fix Rendering large trees slowed due to lack of permission caching * Fix Error on interpretation of snmpUtime, when to big * Fix Applying right axis formatting creates an error-image * Fix Unable to Save Graph Settings from the Graphs pages * Fix Graph Template Cache is nullified too often when Graph Automation is running * Fix When Adding a Data Query to a Device, no Progress Spinner is shown * Fix New Browser Breaks Plugins that depend on non UTC date time data * Fix errors when testing remote poller connectivity * Fix errors when renaming poller * Fix Removing spikes by Variance does not appear to be working beyond the first RRA * Fix LDAP API lacks timeout options leading to bad login experiences * Add a normal/wrap class for general use * Limit File Types available for Template Import operations * Fix Cacti does not provide an option of providing a client side certificate for LDAP/AD authentication * Support Stronger Encryption Available Starting in Net-SNMP v5.8 * Allow Cacti to use multiple possible LDAP servers * Add a 15 minute polling/sampling interval * Provide additional admin email notifications * Add warnings for undesired changes to plugin hook return values * When creating a Graph, make testing the Data Sources optional by Template * Update phpseclib to 2.0.33 * Update jstree.js to 3.3.12 * Improve performance of Cacti poller on heavily loaded systems * MariaDB recommendations need some tuning for recent updates

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP3: zypper in -t patch openSUSE-2022-145=1


Package List

- openSUSE Backports SLE-15-SP3 (aarch64 i586 ppc64le s390x x86_64): cacti-spine-1.2.20-bp153.2.9.1 - openSUSE Backports SLE-15-SP3 (noarch): cacti-1.2.20-bp153.2.9.1


References

https://www.suse.com/security/cve/CVE-2022-0730.html https://bugzilla.suse.com/1192408 https://bugzilla.suse.com/1196692


Severity
Announcement ID: openSUSE-SU-2022:0145-1
Rating: moderate
Affected Products: openSUSE Backports SLE-15-SP3 ble. Affected Products: openSUSE Backports SLE-15-SP3 ble.

Related News

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.