This update for cacti, cacti-spine fixes the following issues:

cacti 1.2.30:

- Unable to add new users
- When using Automation Rules, specifying graph criteria may cause issues
- When transferring a system from a backup if the poller has not run recently rrdtool issues are found
- When translating, quotes may cause incorrect text to appear
- When using Boost for the first time, warnings may appear
- When refreshing forms, items may be checked incorrectly by xmacan

cacti 1.2.29:

- CVE-2025-22604 GHSA-c5j8-jxj3-hh36 - Authenticated RCE via multi-line SNMP responses (bsc#1236488)
- CVE-2025-24368 GHSA-f9c7-7rc3-574c - SQL Injection vulnerability when using tree rules through Automation API (bsc#1236490)
- CVE-2024-54145 GHSA-fh3x-69rr-qqpp - SQL Injection vulnerability when request automation devices (bsc#1236487)
- CVE-2025-24367 GHSA-fxrq-fr7h-9rqq - Arbitrary File Creation leading to RCE (bsc#1236489)
- CVE-2024-45598 GHSA-pv2c-97pp-vxwg - Local File Inclusion (LFI) Vulnerability via Poller Standard Error Log Path (bsc#1236482)
- CVE-2024-54146 GHSA-vj9g-P7F2-4wqj - SQL Injection vulnerability when view host template (bsc#1236486)
- issue: Temporary table names may incorrectly think they have a schema
- issue: When using Preset Time to view graphs, it is using a fixed point rather than relative time
- issue: Fix issue where RRA files are not automatically removed
- issue: Fix invalid help link for Automation Networks
- issue: Unable to disable a tree within the GUI
- issue: When removing graphs, RRA files may be left behind
- issue: Improve compatibility with ping under FreeBSD
- issue: Improve compatibility wtih Slice RRD tool under PHP 8.x
- issue: Allow IPv6 formats to use colons without port
- issue: Update Fortigate, Aruba OSCX and Clearpass templates
- issue: When a plugin is disabled, unable to use GUI to enable it again
- issue: When upgrading, ensure that replication only runs as necessary
- issue: Improve caching and syncing issues with replication
- issue: Improve caching techniques for database calls
- issue: Improve compatibility for Error constants under PHP 8.4
- issue: When running the upgrade database script, cursor is left in the middle of the row
- issue: Guest page does not automatically refresh
- issue: When installing, conversion of tables may produce collation errors
- feature: Add HPE Nimble/Alletra template
- feature: When installing, only convert core cacti tables

- Add /srv/www directories to filelist [boo#1231027]

- fix for cacti-cron.timer & cacti-cron.service failing after upgrade has already removed

- replace cacti-cron.timer & cacti-cron.service with cactid.service
to fix thold & other "sub poller" poller processes not running.

cacti 1.2.28:

- CVE-2024-43365 GHSA-49f2-hwx9-qffr: XSS vulnerability when creating external links with the consolenewsection parameter (bsc#1231372)
- CVE-2024-43364 GHSA-fgc6-g8gc-wcg5: XSS vulnerability when creating external links with the title parameter (bsc#1231371)
- CVE-2024-43363 GHSA-gxq4-mv8h-6qj4: RCE vulnerability can be executed via Log Poisoning (bsc#1231370)
- CVE-2024-43362 GHSA-wh9c-v56x-v77c: XSS vulnerability when creating external links with the fileurl parameter
- issue: When using LDAP authentication the first time, warnings may appear in logs
- issue: When installing, a replication loop for plugin_realms may occur
- issue: When installing, remote poller may attempt to sync with other pollers
- issue: When a Data Query has a space, indexes may not be properly escaped
- issue: Boost does not always order data source records properly
- issue: Add IP address to the login audit for successful logins by xmacan
- issue: Undefined variable error may sometimes occur when dealing with RRD output by MSS970
- issue: When export to CSV, only the first line of notes is included
- issue: When rendering forms, missing default value can cause errors
- issue: Allow hosted content to be executable for the links page
- issue: When closing database connections, some may linger incorrectly
- issue: When changing passwords, an infinite loop may occur by ddb4github
- issue: When using Cacti Daemon, a "Cron out of sync" message may be reported
- issue: Add ability to filter/sort users by group or last login time
- issue: When using List View, unable to add Graphs to a Report
- issue: When using SNMPv3, some devices may show polling issues
- issue: Limit table conversion to Cacti core tables
- issue: Fix issues with posix-based kills on Windows
- issue: When installing, password changes may fail on new installations
- issue: When using structured RRD folders, permission issues may be flagged incorrectly
- issue: When unable to locate a valid theme, new default will be Modern
- issue: Properly cache the data source information for dsstats processing
- issue: When reindexing, verify all fields may not work as intended
- feature: Add ability to log database connections/disconnections
- feature: Add Ping Method where connection refused assumes host is up
- feature: When displaying graphs, default end time does not show full 24 hour period
- feature: Add --id to remove_device.php
- feature: Add Location and Site to Graph List View
- feature: Add more verbose logging to Boost
- feature: Update jQuery to 3.7.1
- feature: Update jQueryUI to 1.14.0
- feature: Update Purify.js to 3.1.6
- feature: Update billboard.js to 3.13.0
- feature: Improve the performance of the repopulation of the poller cache

Changes in cacti-spine:

cacti-spine 1.2.30:

- no changes
- Bump/rebuild to match Cacti 1.2.30

cacti-spine 1.2.28:

- When using Ping or SNMP Uptime, host is not always detected properly
- Add Ping Method where connection refused assumes host is up