Overview

File _patchinfo of Package patchinfo.18544

<patchinfo incident="18544">
  <issue tracker="cve" id="2024-31459"/>
  <issue tracker="cve" id="2024-31460"/>
  <issue tracker="cve" id="2024-34340"/>
  <issue tracker="cve" id="2024-27082"/>
  <issue tracker="cve" id="2024-31458"/>
  <issue tracker="cve" id="2024-31444"/>
  <issue tracker="cve" id="2024-31443"/>
  <issue tracker="cve" id="2024-31445"/>
  <issue tracker="cve" id="2024-25641"/>
  <issue tracker="cve" id="2024-29894"/>
  <issue tracker="bnc" id="1224241">VUL-0: CVE-2024-34340: cacti: Authentication Bypass when using using older password hashes</issue>
  <issue tracker="bnc" id="1224235">VUL-0: CVE-2024-31443: cacti: cross-site scripting vulnerability when managing data queries</issue>
  <issue tracker="bnc" id="1224231">VUL-0: CVE-2024-29894: cacti: residual cross-site scripting vulnerability caused by incomplete fix</issue>
  <issue tracker="bnc" id="1224240">VUL-0: CVE-2024-31458: cacti: SQL Injection vulnerability when using form templates</issue>
  <issue tracker="bnc" id="1224237">VUL-0: CVE-2024-31445: cacti: SQL injection vulnerability when retrieving graphs using Automation API</issue>
  <issue tracker="bnc" id="1224238">VUL-0: CVE-2024-31459: cacti: file inclusion issue in the `lib/plugin.php` file</issue>
  <issue tracker="bnc" id="1224236">VUL-0: CVE-2024-31444: cacti: cross-site scripting vulnerability when reading tree rules with Automation API</issue>
  <issue tracker="bnc" id="1224239">VUL-0: CVE-2024-31460: cacti: SQL injection vulnerability when using tree rules through Automation API</issue>
  <issue tracker="bnc" id="1224229">VUL-0: CVE-2024-25641: cacti: arbitrary file write vulnerability in the "Package Import" feature</issue>
  <issue tracker="bnc" id="1224230">VUL-0: CVE-2024-27082: cacti: stored cross-site scripting vulnerability when managing trees</issue>
  <packager>AndreasStieger</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for cacti, cacti-spine</summary>
  <description>This update for cacti, cacti-spine fixes the following issues:

- cacti 1.2.27:
  * CVE-2024-34340: Authentication Bypass when using using older password hashes (boo#1224240)
  * CVE-2024-25641: RCE vulnerability when importing packages (boo#1224229)
  * CVE-2024-31459: RCE vulnerability when plugins include files (boo#1224238)
  * CVE-2024-31460: SQL Injection vulnerability when using tree rules through Automation API (boo#1224239)
  * CVE-2024-29894: XSS vulnerability when using JavaScript based messaging API (boo#1224231)
  * CVE-2024-31458: SQL Injection vulnerability when using form templates (boo#1224241)
  * CVE-2024-31444: XSS vulnerability when reading tree rules with Automation API (boo#1224236)
  * CVE-2024-31443: XSS vulnerability when managing data queries (boo#1224235)
  * CVE-2024-31445: SQL Injection vulnerability when retrieving graphs using Automation API (boo#1224237)
  * CVE-2024-27082: XSS vulnerability when managing trees (boo#1224230)
  * Improve PHP 8.3 support
  * When importing packages via command line, data source profile could not be selected
  * When changing password, returning to previous page does not always work
  * When using LDAP authentication the first time, warnings may appear in logs
  * When editing/viewing devices, add IPv6 info to hostname tooltip
  * Improve speed of polling when Boost is enabled
  * Improve support for Half-Hour time zones
  * When user session not found, device lists can be incorrectly returned
  * On import, legacy templates may generate warnings
  * Improve support for alternate locations of Ping
  * Improve PHP 8.1 support for Installer
  * Fix issues with number formatting
  * Improve PHP 8.1 support when SpikeKill is run first time
  * Improve PHP 8.1 support for SpikeKill
  * When using Chinese to search for graphics, garbled characters appear.
  * When importing templates, preview mode will not always load
  * When remote poller is installed, MySQL TimeZone DB checks are not performed
  * When Remote Poller installation completes, no finish button is shown
  * Unauthorized agents should be recorded into logs
  * Poller cache may not always update if hostname changes
  * When using CMD poller, Failure and Recovery dates may have incorrect values
  * Saving a Tree can cause the tree to become unpublished
  * Web Basic Authentication does not record user logins
  * When using Accent-based languages, translations may not work properly
  * Fix automation expressions for device rules
  * Improve PHP 8.1 Support during fresh install with boost
  * Add a device "enabled/disabled" indicator next to the graphs
  * Notify the admin periodically when a remote data collector goes into heartbeat status
  * Add template for Aruba Clearpass
  * Add fliter/sort of Device Templates by Graph Templates

- cacti-spine 1.2.27:
  * Restore AES Support
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places