openSUSE Security Update: Security update for cacti, cacti-spine

Announcement ID:    openSUSE-SU-2022:0145-1
Rating:             moderate
References:         #1192408 #1196692 
Cross-References:   CVE-2022-0730
CVSS scores:
                    CVE-2022-0730 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:
                    openSUSE Backports SLE-15-SP3

   An update that solves one vulnerability and has one errata
   is now available.


   This update for cacti, cacti-spine fixes the following issues:

   cacti-spine was updated to 1.2.20:

     * Add support for newer versions of MySQL/MariaDB
     * When checking for uptime of device, don't assume a non-response is
       always fatal
     * Fix description and command trunctation issues
     * Improve spine performance when only one snmp agent port is in use

   cacti-spine 1.2.19:

     * Fix 1ssues with polling loop may skip some datasources
     * Fix ping no longer works due to hostname changes
     * Fix RRD steps are not always calculated correctly
     * Fix unable to build when DES no longer supported
     * Fix IPv6 devices are not properly parsed
     * Reduce a number of compiler warnings
     * Fix compiler warnings due to lack of return in thread_mutex_trylock
     * Fix Spine will not look at non-timetics uptime when sysUpTimeInstance
     * Improve performance of Cacti poller on heavily loaded systems

   cacti-spine 1.2.20:

     * Add support for newer versions of MySQL/MariaDB
     * When checking for uptime of device, don't assume a non-response is
       always fatal
     * Fix description and command trunctation issues
     * Improve spine performance when only one snmp agent port is in use

   cacti was updated to 1.2.20:

     * Security fix for CVE-2022-0730, boo#1196692 Under certain ldap
       conditions, Cacti authentication can be bypassed with certain
       credential types.
     * Security fix: Device, Graph, Graph Template, and Graph Items may be
       vulnerable to XSS issues
     * Security fix: Lockout policies are not properly applied to LDAP and
       Domain Users
     * Security fix: When using 'remember me' option, incorrect realm may be
     * Security fix: User and Group maintenance are vulnerable to SQL attacks
     * Security fix: Color Templates are vulnerable to XSS attack
     * Features:
       * When creating a Data Source Profile, allow additional choices for
       * Change select all options to use Font Awesome icons
       * Improve spine performance by storing the total number of system
         snmp_ports in use
       * Prevent Template User Accounts from being Removed
       * When managing by users, allow filtering by Realm
       * Allow plugins to supply template account names
       * When viewing logs, additional message types should be filterable
       * When creating a Graph Template Item, allow filtering by Data Template
       * Allow language handler to be selected via UI
       * Updated Device packages for Synology, Citrix NetScaler, Cisco
       * Add Advanced Ping Graph Template to initial Installable templates
       * Add LDAP Debug Mode option
       * Allow Reports to include devices not on a Tree
       * Allow Basic Authentication to display custom failure message
     * Fix: When replicating data during installation/upgrade, system may
       appear to hang
     * Fix: Graph Template Items may have duplicated entries
     * Fix: Unable to Save Graph Settings
     * Fix: Script Server may crash if an OID is missing or unavailable
     * Fix: When system-wide polling is disabled, remote pollers may fail to
       sync changed settings
     * Fix: When updating poller name, duplicate name protection may be over
     * Fix: Titles may show "Missing Datasource" incorectly
     * Fix: Checking for MIB Cache can cause crashes
     * Fix: Polling cycles may not always complete as expected
     * Fix: When viewing graph data, non-numeric values may appear
     * Fix: Utilities view has calculation errors when there are no data
     * Fix: When editing Reports, drag and drop may not function as intended
     * Fix: When data drive is full, viewing a Graph can result in errors
     * Various other bug fixes

   cacti 1.2.19:

     * Further fixes for grave character security protection (boo#1192408)
     * Fix Over aggressive escaping causing menu visibility issues on Create
       Device page
     * Add SHA256 and AES256 security levels for SNMP polling
     * Import graph template(Preview Only) show color_id new value as a blank
     * Fix Editing graphs errors due to missing sequence
     * Fix 2hen hovering over a Tree Graph, row shows same highlighting as
       Graph Edit screen
     * Fix 2hen RealTime is not active, console errors may appear
     * Fix race conditions may occur when multiple RRDtool processes are
     * Fix errors creating graphs from templates
     * Fix errors when duplicating reports
     * Fix Boost may be blocked by overflowing poller_output table
     * Fix Template import may be blocked due to unmet dependency warnings
       with snmp ports
     * Fix Newer MySQL versions may error if committing a transaction when
       not in one
     * Fix SNMP Agent may not find a cache item
     * Fix Correct issues running under PHP 8.x
     * Fix When polling is disabled, boost may crash and creates many arch
     * Fix When poller runs, memory tables may not always be present
     * Fix Timezones may sometimes be incorrectly calculated
     * Fix Allow monitoring IPv6 with interface graphs
     * Fix When a data source uses a Data Input Method, those without a
       mapping should be flagged
     * Fix When RRDfile is not yet created, errors may appear when displaying
       the graph
     * Fix Cacti missing key indexes that result in Preset pages slowdowns
     * Fix Data Sources page shows no name when Data Source has no name cache
     * Fix db_update_table function can not alter table from signed to
     * Fix data remains in poller_output table even if it's flushed to rrd
     * Fix Parameter list for lib/database.php:db_connect_real() is not
       correct in 3 places
     * Fix Offset is a reserved word in MariaDB 10.6 affecting Report
     * Fix Rendering large trees slowed due to lack of permission caching
     * Fix Error on interpretation of snmpUtime, when to big
     * Fix Applying right axis formatting creates an error-image
     * Fix Unable to Save Graph Settings from the Graphs pages
     * Fix Graph Template Cache is nullified too often when Graph Automation
       is running
     * Fix When Adding a Data Query to a Device, no Progress Spinner is shown
     * Fix New Browser Breaks Plugins that depend on non UTC date time data
     * Fix errors when testing remote poller connectivity
     * Fix errors when renaming poller
     * Fix Removing spikes by Variance does not appear to be working beyond
       the first RRA
     * Fix LDAP API lacks timeout options leading to bad login experiences
     * Add a normal/wrap class for general use
     * Limit File Types available for Template Import operations
     * Fix Cacti does not provide an option of providing a client side
       certificate for LDAP/AD authentication
     * Support Stronger Encryption Available Starting in Net-SNMP v5.8
     * Allow Cacti to use multiple possible LDAP servers
     * Add a 15 minute polling/sampling interval
     * Provide additional admin email notifications
     * Add warnings for undesired changes to plugin hook return values
     * When creating a Graph, make testing the Data Sources optional by
     * Update phpseclib to 2.0.33
     * Update jstree.js to 3.3.12
     * Improve performance of Cacti poller on heavily loaded systems
     * MariaDB recommendations need some tuning for recent updates

Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP3:

      zypper in -t patch openSUSE-2022-145=1

Package List:

   - openSUSE Backports SLE-15-SP3 (aarch64 i586 ppc64le s390x x86_64):


   - openSUSE Backports SLE-15-SP3 (noarch):