Overview

File _patchinfo of Package patchinfo.13295

<patchinfo incident="13295">
  <issue tracker="cve" id="2020-13625"/>
  <issue tracker="cve" id="2020-11023"/>
  <issue tracker="cve" id="2020-11022"/>
  <issue tracker="cve" id="2020-14295"/>
  <issue tracker="bnc" id="1115436">cacti: migrate from cron to systemd timers</issue>
  <issue tracker="bnc" id="1173090"></issue>
  <issue tracker="bnc" id="1154087">AUDIT-FIND: cacti: LPE from wwwrun to root</issue>
  <packager>AndreasStieger</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for cacti, cacti-spine</summary>
  <description>This update for cacti, cacti-spine fixes the following issues:

- cacti 1.2.13:

  * Query XSS vulnerabilities require vendor package update
    (CVE-2020-11022 / CVE-2020-11023)
  * Lack of escaping on some pages can lead to XSS exposure
  * Update PHPMailer to 6.1.6 (CVE-2020-13625)
  * SQL Injection vulnerability due to input validation failure when
    editing colors (CVE-2020-14295, boo#1173090)
  * Lack of escaping on template import can lead to XSS exposure

- switch from cron to systemd timers (boo#1115436):
  + cacti-cron.timer
  + cacti-cron.service
- avoid potential root escalation on systems with fs.protected_hardlinks=0
  (boo#1154087): handle directory permissions in file section instead
  of using chown during post installation
- rewrote apache configuration to get rid of .htaccess files and 
  explicitely disable directory permissions per default 
  (only allow a limited, well-known set of directories)

</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places