File cacti.changes of Package cacti
-------------------------------------------------------------------
Mon May 9 11:34:41 UTC 2016 - liedke@rz.uni-mannheim.de
- Fix the following vulnerabilities:
* CVE-2016-3659: SQL injection in lib/functions.php (CVE-2016-3659)
(boo#974013)
* CVE-2016-3172: SQL injection in tree.php (CVE-2016-3172)
(boo#971357)
-------------------------------------------------------------------
Tue Feb 9 19:57:17 UTC 2016 - astieger@suse.com
- Fix the following vulnerabilities:
* CVE-2015-8369: SQL injection in graph.php (boo#958863)
* CVE-2015-8604: SQL injection in graphs_new.php (boo#960678)
* CVE-2015-8377: SQL injection vulnerability in the
host_new_graphs_save function in graphs_new.php
(boo#958977)
* CVE-2016-2313: Authentication using web authentication as a user
not in the cacti database allows complete access
(boo#965930)
- adding CVE-2015-8369.patch, CVE-2015-8604-CVE-2015-8377.patch,
CVE-2016-2313.patch
-------------------------------------------------------------------
Sun Jul 26 19:12:38 UTC 2015 - astieger@suse.com
- cacti 0.8.8f:
* 0.8.8e Poller Script Parser is Broken
* cli/upgrade_database.php is missing releases
* Graph managment graphs.php save button does not work
* Poller Script Parser is Broken
-------------------------------------------------------------------
Mon Jul 20 10:53:24 UTC 2015 - joop.boonen@opensuse.org
- Fixed the spec file so the package also builds for el7, Fedora 20 > etc.
-------------------------------------------------------------------
Sat Jul 18 17:37:49 UTC 2015 - astieger@suse.com
- Update to 0.8.8e:
This update contains importand security fixes: [boo#937997]
- Multiple XSS and SQL injection vulnerabilities
- CVE-2015-4634 - SQL injection in graphs.php
Further fixes:
- Fixed issue with graph zooming failing to work
- Impossible to have a URL pointing directly to a graph
- Cannot delete data sources from the GUI
- viewing host in new tab - Undefined index: nodeid
- status_fail_date and status_rec_date are set incorrectly after
host is marked down
- Incorrect value in Hosts column on Host Templates page
- Incorrect row number in Devices -> (Edit) page
-------------------------------------------------------------------
Tue Jun 16 13:21:16 UTC 2015 - joop.boonen@opensuse.org
- Update to version 0.8.8d
- Fixes [bnc#934187]
- CVE-2015-4342: cacti: Multiple XSS and SQL injection vulnerabilities
- feature: Remove un-needed fonts and javascript files
- bug: Fixed SQL injection VN: JVN#78187936 / TN:JPCERT#98968540
- bug#0002261: PHP 5.4.0 added new error_reporting variable, causing cacti to show errors
- bug#0002391: Odd Behaviour on ReIndex of Data Query Data
- bug#0002393: Broken thumbnail images for graph templates
- bug#0002402: Subtree must not have the same header as the parent header
- bug#0002474: CLI add_device.php dows not set availability_method correctly
- bug#0002449: The Save button does not work: Invalid html on page Console -> Cacti Settings: empty form tag
- bug#0002428: Fail to delete all data input items when removing more than 1000 data sources
- bug#0002439: Password with special character don't work with LDAP authentication
- bug#0002461: invalid bn with ldap and anonymous bind
- bug#0002465: Graph Export return empty CSV file
- bug#0002484: Incorrect SQL request in cli script repair_database.php
- bug#0002485: Broken pagenation on graph viewing
- bug#0002489: SNMP - Get Mounted Partitions using Re-index method of Index Count Changed causes recache event every time
- bug#0002490: Can not select page for multiple datasources per device
- bug#0002494: CSV export always shows last day
- bug#0002504: Data template search not functional
- bug#0002542: [FG-VD-15-017] Cacti Cross-Site Scripting Vulnerability Notification
- bug#0002543: Unable to switch pages within graphs_new.php due to invalid URL generation
- bug#0002544: Duplicate entry in $nav_url during list view
- bug#0002571: SQL Injection and Location header injection from cdef id CVE-2015-4342
- bug#0002572: SQL injection in graph templates
- Renamed two patch files, to a more generic name:
- cacti-0.8.8c-cacti-log-path.patch to cacti-log-path.patch
- cacti-0.8.8c-cacti-script.patch to cacti-script.patch
-------------------------------------------------------------------
Mon Dec 8 11:25:49 UTC 2014 - aldemir.akpinar@gmail.com
- Update to version 0.8.8c
- New features
- New graph tree view
- Updated graph list and graph preview
- Refactor graph tree view to remove GPL incompatible code
- Updated command line database upgrade utility
- Graph zooming now from everywhere
- Security fixes
- CVE-2013-5588 - XSS issue via installer or device editing
- CVE-2013-5589 - SQL injection vulnerability in device editing
- CVE-2014-2326 - XSS issue via CDEF editing
- CVE-2014-2327 - Cross-site request forgery (CSRF) vulnerability
- CVE-2014-2328 - Remote Command Execution Vulnerability in graph export
- CVE-2014-4002 - XSS issues in multiple files
- CVE-2014-5025 - XSS issue via data source editing
- CVE-2014-5026 - XSS issues in multiple files
- Removed cacti-0.8.8b-cacti-log-path.patch as it is incompatible with 0.8.8c.
- Removed cacti-0.8.8b-cacti-script.patch as it is incompatible with 0.8.8c.
- Removed cacti-0.8.8b_CVE-2013-5588_CVE-2013-5589.patch as this code is incorprated to cacti 0.8.8c
- Removed cacti-0.8.8b_security.patch as this code is incorprated to cacti 0.8.8c
- Created cacti-0.8.8c-cacti-log-path.patch so that cacti only logs to /var/log/cacti
- Created cacti-0.8.8c-cacti-script.patch so that cacti uses /usr/share/cacti/scripts
-------------------------------------------------------------------
Sun Apr 13 20:21:53 UTC 2014 - aj@ajaissle.de
- Add cacti-0.8.8b_security.patch:
- Fixes [bnc#870821]:
- CVE-2014-2326: Unspecified HTML Injection Vulnerability
- Fixes CVE-2014-2328:
- Unspecified Remote Command Execution Vulnerability
- Fixes [bnc#872008]:
- CVE-2014-2708: Unspecified SQL Injection Vulnerability
- CVE-2014-2709: Unspecified Remote Command Execution Vulnerability
- Add cacti-0.8.8b_CVE-2013-5588_CVE-2013-5589.patch:
- Fixes [bnc#837440]:
- CVE-2013-5588: HTML Injection Vulnerability
- CVE-2013-5589: SQL Injection Vulnerability
-------------------------------------------------------------------
Sat Apr 12 09:37:55 UTC 2014 - aj@ajaissle.de
- Change php requirements to be more general on SUSE systems
[bnc#862993]
-------------------------------------------------------------------
Thu Aug 8 06:57:12 UTC 2013 - joop.boonen@opensuse.org
- Update to version 0.8.8b
- bug: Fixed issue with custom data source information being lost when saved from edit
- bug: Repopulate the poller cache on new installations
- bug: Fix issue with poller not escaping the script query path correctly
- bug: Allow snmpv3 priv proto none
- bug: Fix issue where host activate may flush the entire poller item cache
- security: SQL injection and shell escaping issues
-------------------------------------------------------------------
Mon Jun 4 08:57:00 UTC 2012 - aldemir.akpinar@airties.com
- Added official cacti 0.8.8a patch
-------------------------------------------------------------------
Mon Apr 30 11:09:10 UTC 2012 - aldemir.akpinar@airties.com
- New version 0.8.8a
- Fixed an rpmlint warning
-------------------------------------------------------------------
Mon Apr 16 10:27:23 UTC 2012 - joop.boonen@opensuse.org
- Corrected the crontab file for openSUSE >= 12.2
- Some cross distro fixes so plugins will also build for other distros
-------------------------------------------------------------------
Tue Apr 10 17:03:29 UTC 2012 - joop.boonen@opensuse.org
- Install cacti in /srv/www/cacti/ from openSUSE 12.2 onwards
- Passed the spec file through spec-cleaner
- Cacti-PA can be removed as cacti includes the Plugin Architure
-------------------------------------------------------------------
Tue Apr 10 09:14:52 UTC 2012 - aldemir.akpinar@airties.com
- Minor changes in the spec file, updated version to 0.8.8
-------------------------------------------------------------------
Sun Jan 8 12:58:28 UTC 2012 - joop.boonen@boonen.org
- Reformated the spec file to the openSUSE standard
-------------------------------------------------------------------
Fri Dec 30 14:40:04 UTC 2011 - aldemir.akpinar@airties.com
- Added official settings_checkbox patch
-------------------------------------------------------------------
Tue Dec 13 22:15:03 UTC 2011 - joop.boonen@opensuse.org
- Build version 0.8.7i
-------------------------------------------------------------------
Tue Oct 4 13:19:26 UTC 2011 - aldemir.akpinar@airties.com
- Upgrade to version 0.8.7h
-------------------------------------------------------------------
Fri Jun 10 00:00:00 UTC 2011 aldemir.akpinar@airties.com
- added 'Provides' to make cactid installable
-------------------------------------------------------------------
Sat Jul 10 00:00:00 UTC 2010 joop.boonen@opensuse.org
- update to cacti-0.8.7g
-------------------------------------------------------------------
Sat May 22 00:00:00 UTC 2010 joop.boonen@opensuse.org
- update to cacti-0.8.7f
-------------------------------------------------------------------
Wed Nov 11 00:00:00 UTC 2009 joop.boonen@opensuse.org
- Added the missing cli directory
-------------------------------------------------------------------
Mon Aug 31 00:00:00 UTC 2009 joop.boonen@opensuse.org
- Minor change in the name of the patch file
-------------------------------------------------------------------
Fri Aug 28 00:00:00 UTC 2009 puzel@novell.com
- update to cacti-0.8.7e.tar.bz2
- bug#0001044: Creating a DS, Output field can't be selected for
DT with a DIM when "Use Per-Data Source Value" is on
- bug#0001341: SNMP query: add oid_suffix for weird SNMP queries
- bug#0001345: Overwriting $snmp_index in query_snmp_host() breaks
SNMP Data query if using get method
- bug#0001346: Strip out noisy 'No Such Instance currently exists
at this OID'
- bug#0001404: timeout in "function ping_icmp" (lib/ping.php)
- bug#0001405: Spaces in DS when .rrd file is created, so it fails
- bug#0001407: Place graph thumbnail into div to lower page length
changes on load graphs
- bug#0001410: Thumbnail Columns is not honored for host display
with snmp index group style
- bug#0001411: Graph searching issue
- bug#0001413: strip_quotes fails
- bug#0001426: multiple form opening due to bug in draw_edit_form()
- bug#0001436: CSV Export Start Date and End Date are always
1970-01-01 01:00:00
- bug#0001443: format_snmp_string can return a number with a leading space
- bug#0001446: Wrong dates override in CSV export
- bug#0001456: oid_uptime is not parsed correctly
- bug#0001460: Skiping input parameters in data_query_field_list()
may lead to SQL errors
- bug#0001464: Typo in install/index.php
- bug#0001467: Customisable oid index parse regexp for weird MIBs
- bug#0001468: Tree is not expanded correctly
- bug#0001469: Tree is not being expanded if user followed link
outside of cacti
- bug#0001476: Mark stacked columns in rrdtool_function_xport() output
- bug#0001477: Spelling error in a variable in html_tree.php
- bug#0001478: Combo boxes on Graph Management page produce URLs
with leading spaces
- bug: Top Graph Header Breaks When Plugins Used
- bug: SNMP v3 Password issue caused by Firefox's Password AutoFill
- bug: Strip Quotes does not properly handle the value 'U'
- bug: Changes to the graph tree would not show up immediately for
current user
- bzip sources
-------------------------------------------------------------------
Mon Jun 15 00:00:00 UTC 2009 prusnak@suse.cz
- reverted BuildRequires from libdb-4_5-devel to db-devel
-------------------------------------------------------------------
Fri May 22 00:00:00 UTC 2009 joop.boonen@opensuse.org
- Working with prefix
-------------------------------------------------------------------
Sat Apr 25 00:00:00 UTC 2009 joop_boonen@web.de
- Updated BuildRequires to libdb-4_5-devel
-------------------------------------------------------------------
Sat Feb 14 00:00:00 UTC 2009 joop_boonen@web.de
- cleaned out the spec file
- deleted file for the PA platform
-------------------------------------------------------------------
Fri Feb 13 00:00:00 UTC 2009 joop_boonen@web.de
- build version cacti-0.8.7d
-------------------------------------------------------------------
Thu Feb 12 00:00:00 UTC 2009 joop_boonen@web.de
- improving the spec file
- added multi rpm distro build
- Added the plug-in framework
-------------------------------------------------------------------
Mon Feb 2 00:00:00 UTC 2009 joop_boonen@web.de
- building version 0.8.7c
-------------------------------------------------------------------
Mon Apr 14 00:00:00 UTC 2008 crrodriguez@suse.de
- add official cacti patches
- cleanup buildrequires
-------------------------------------------------------------------
Tue Apr 8 00:00:00 UTC 2008 crrodriguez@suse.de
- cacti does not really work without cron, but cron is not installed
by default in the minimal system
-------------------------------------------------------------------
Tue Feb 19 00:00:00 UTC 2008 prusnak@suse.cz
- updated to 0.8.7b
* security fixes:
- Fix several security vulnerabilities
* bug fixes:
- Unnecessary (and faulty) DEF generation for CF:AVERAGE
- Small visual fix for Cacti in "View Cacti Log File"
- Graph xport modification to increase default rows output
- Poller incorrectly identifies unique hosts
- CLI Scripts bring MySQL down on large installations
- Filtering broken on Data Sources page
- Fix looping poller recache events
- ss_fping.php 100%% "Pkt Loss" does not work properly
- Graphs with no template and/or no host cause filtering errors on Graph Management page
- View Poller Cache does not show Data Sources that have no host
- Graph Generation fails if e.g. ifDescr contains some blanks
- TCP/UDP ping port ignored
- Downed Device Detection: None leads to database errors
- update_host_status handles ping_availability incorrectly
- "U" not allowed as min/max RRD value
- Deleted user causes error on user log viewer
- Re-assign duplicate radio button IDs
- Add HTML title attributes for certain pages
- ALL_DATA_SOURCES_NODUPS includes DUPs? SIMILAR_DATA_SOURCES_DUPS is available again
- Cacti does not guarentee RRA consolidation functions exist in RRA's
- Alert on changing logarithmic scaling removed
- add_hosts.php did not accept privacy protocol
* features added:
- show basic RRDtool graph options on Graph Template edit
- Add additional logging to Graph Xport
- Add rows dropdown to devices, graphs and data sources
- Add device_id and event count to devices
- Add ids to devices, graphs and data sources pages
- Add database repair utility
-------------------------------------------------------------------
Tue Nov 20 00:00:00 UTC 2007 prusnak@suse.cz
- updated to 0.8.7a
* "Use Per-Data Source Value (Ignore this Value)" runs only when when checking "Allow Empty Input"
* Add --autoscale-min (rrdtool 1.2.x only) and --autoscale-max (using upper AND lower limit)
* Allow for --logarithmic scaling without autoscaling
* Data sources in RRAs have random order, messing up predefined CDEFs
* Graph Templates drop down populates with duplicates
* Upgrade from 0.8.6j to 0.8.7 defaults to Authentication Method NONE
* Graph template - GRINT creates CF function DEF
* Invalid date format - "half hour" not the GNU Date format
* SQL error when using 'Auth Method' None when no 'guest' user exists
* Graph Filter dropdowns do not respect user graph permissions
* Potential SQL injection vulnerability
* RRDtool 1.2.15 complain for garbage characters when rrdtool_function_xport is used
* cmd.php: potential call to invalid "availability_method" key on wrong hash
* Log file viewer inefficient filtering uses excess memory
* doc change for using COUNTERs as integers only
* Fixed extra spaces in GPRINT. Better Alignment for Autopadding
* doc change for patching cacti when running SELinux
* Cron interval detection causes multiple pollers to run
* Max OIDS is not saved in device view
* Undefined variable: rra in graph.php on line 241
* Dates are not stored in host table using correct format
* Graph Export Generates SQL Errors
* Usernames with spaces and dashes are not able to save
* Allow for --units=si on logarithmic scaled graphs (rrdtool-1.2.x only).
* add opacity/alpha channel to graph items (rrdtool-1.2.x only).
* Move to Top for List and Tree View. Omit boring scrolling
* add availability pings to host interface
-------------------------------------------------------------------
Tue Oct 30 00:00:00 UTC 2007 prusnak@suse.cz
- update to 0.8.7
* changes are too numerous to list
* see CHANGELOG
- dropped obsolete patches:
* graph-image.patch (included in update)
-------------------------------------------------------------------
Wed Sep 19 00:00:00 UTC 2007 prusnak@suse.cz
- fix CVE-2007-3112 and CVE-2007-3113 (graph-image.patch) [#326228]
-------------------------------------------------------------------
Mon Jun 25 00:00:00 UTC 2007 dmueller@suse.de
- fix last checkin
-------------------------------------------------------------------
Thu Jun 21 00:00:00 UTC 2007 dmueller@suse.de
- update buildrequires
-------------------------------------------------------------------
Thu Feb 8 00:00:00 UTC 2007 prusnak@suse.cz
- updated to 0.8.6j:
* fixed CVE-2006-6799
* fixed hostname sorting on the devices page
* fixed poller.php does not giving any output with MySQL disabled
* added bottom navigation bar to graph viewing
* added "collapsible" branches to the graph tree editor
* added natural sort to graph items in the tree
- dropped obsoleted patches:
* cacti-0.8.6h-CVE-2006-6799.patch (included in update)
- fixed spec file for #norootforbuild
-------------------------------------------------------------------
Tue Jan 9 00:00:00 UTC 2007 prusnak@suse.cz
- fixed CVE-2006-6799 [#231082]
-------------------------------------------------------------------
Fri Mar 17 00:00:00 UTC 2006 stark@suse.de
- fix path settings
-------------------------------------------------------------------
Wed Jan 25 00:00:00 UTC 2006 mls@suse.de
- converted neededforbuild to BuildRequires
-------------------------------------------------------------------
Wed Jan 18 00:00:00 UTC 2006 mrueckert@suse.de
- dont require php4 directly use the php abstraction
-------------------------------------------------------------------
Fri Jan 6 00:00:00 UTC 2006 stark@suse.de
- update to 0.8.6h
- fixed logrotate setting
-------------------------------------------------------------------
Tue Jan 3 00:00:00 UTC 2006 stark@suse.de
- update to 0.8.6g
-------------------------------------------------------------------
Tue Oct 25 00:00:00 UTC 2005 stark@suse.de
- added php4-session to required packages (#130282)
-------------------------------------------------------------------
Sat Jul 2 00:00:00 UTC 2005 stark@suse.de
- update to 0.8.6f
-------------------------------------------------------------------
Sat Jun 18 00:00:00 UTC 2005 stark@suse.de
- update to 0.8.6e final
-------------------------------------------------------------------
Thu Jun 16 00:00:00 UTC 2005 stark@suse.de
- update to 0.8.6e
-------------------------------------------------------------------
Fri Jan 21 00:00:00 UTC 2005 stark@suse.de
- update to 0.8.6c
-------------------------------------------------------------------
Fri Nov 19 00:00:00 UTC 2004 stark@suse.de
- update to 0.8.6b
- added logrotate config
-------------------------------------------------------------------
Mon Sep 20 00:00:00 UTC 2004 stark@suse.de
- fix sql injection bug (#43908)
-------------------------------------------------------------------
Mon Aug 30 00:00:00 UTC 2004 ro@suse.de
- remove apache1 traces
-------------------------------------------------------------------
Wed Apr 28 00:00:00 UTC 2004 stark@suse.de
- update to 0.8.5a
-------------------------------------------------------------------
Mon Feb 16 00:00:00 UTC 2004 stark@suse.de
- update to 0.8.5
-------------------------------------------------------------------
Mon Dec 29 00:00:00 UTC 2003 stark@suse.de
- initial SUSE package
