File _patchinfo of Package patchinfo
<patchinfo incident="19332"> <issue tracker="bnc" id="1231027">Remove /srv/www from filesystem package</issue> <issue tracker="bnc" id="1236488">VUL-0: CVE-2025-22604: cacti: authenticated remote code execution through the injection of malformed OIDs in SNMP responses</issue> <issue tracker="bnc" id="1236490">VUL-0: CVE-2025-24368: cacti: SQL injection when using tree rules through Automation API</issue> <issue tracker="bnc" id="1236487">VUL-0: CVE-2024-54145: cacti: SQL injection through the network parameter of the get_discovery_results function in automation_devices.php</issue> <issue tracker="bnc" id="1236489">VUL-0: CVE-2025-24367: cacti: authenticated remote code execution through PHP scripts created via the graph creation and graph template functionalities</issue> <issue tracker="bnc" id="1236482">VUL-0: CVE-2024-45598: cacti: local file inclusion via the `Poller Standard Error Log Path` parameter</issue> <issue tracker="bnc" id="1236486">VUL-0: CVE-2024-54146: cacti: SQL injection through the graph_template parameter of the template function in host_templates.php</issue> <issue tracker="bnc" id="1231372">VUL-0: CVE-2024-43365: cacti: Stored Cross-site Scripting (XSS) when creating external links in Cacti</issue> <issue tracker="bnc" id="1231371">VUL-0: CVE-2024-43364: cacti: Stored Cross-site Scripting (XSS) when creating external links in Cacti</issue> <issue tracker="bnc" id="1231370">VUL-0: CVE-2024-43363: cacti: Remote code execution via Log Poisoning in Cacti</issue> <issue tracker="bnc" id="1231369">VUL-0: CVE-2024-43362: cacti: Stored Cross-site Scripting (XSS) when creating external links in Cacti</issue> <issue tracker="cve" id="2024-43362"></issue> <issue tracker="cve" id="2024-43363"></issue> <issue tracker="cve" id="2024-43364"></issue> <issue tracker="cve" id="2024-43365"></issue> <issue tracker="cve" id="2024-54146"></issue> <issue tracker="cve" id="2024-45598"></issue> <issue tracker="cve" id="2025-22604"></issue> <issue tracker="cve" id="2025-24368"></issue> <issue tracker="cve" id="2024-54145"></issue> <issue tracker="cve" id="2025-24367"></issue> <packager>joelgb</packager> <rating>critical</rating> <category>security</category> <summary>Security update for cacti, cacti-spine</summary> <description>This update for cacti, cacti-spine fixes the following issues: cacti 1.2.30: - Unable to add new users - When using Automation Rules, specifying graph criteria may cause issues - When transferring a system from a backup if the poller has not run recently rrdtool issues are found - When translating, quotes may cause incorrect text to appear - When using Boost for the first time, warnings may appear - When refreshing forms, items may be checked incorrectly by xmacan cacti 1.2.29: - CVE-2025-22604 GHSA-c5j8-jxj3-hh36 - Authenticated RCE via multi-line SNMP responses (bsc#1236488) - CVE-2025-24368 GHSA-f9c7-7rc3-574c - SQL Injection vulnerability when using tree rules through Automation API (bsc#1236490) - CVE-2024-54145 GHSA-fh3x-69rr-qqpp - SQL Injection vulnerability when request automation devices (bsc#1236487) - CVE-2025-24367 GHSA-fxrq-fr7h-9rqq - Arbitrary File Creation leading to RCE (bsc#1236489) - CVE-2024-45598 GHSA-pv2c-97pp-vxwg - Local File Inclusion (LFI) Vulnerability via Poller Standard Error Log Path (bsc#1236482) - CVE-2024-54146 GHSA-vj9g-P7F2-4wqj - SQL Injection vulnerability when view host template (bsc#1236486) - issue: Temporary table names may incorrectly think they have a schema - issue: When using Preset Time to view graphs, it is using a fixed point rather than relative time - issue: Fix issue where RRA files are not automatically removed - issue: Fix invalid help link for Automation Networks - issue: Unable to disable a tree within the GUI - issue: When removing graphs, RRA files may be left behind - issue: Improve compatibility with ping under FreeBSD - issue: Improve compatibility wtih Slice RRD tool under PHP 8.x - issue: Allow IPv6 formats to use colons without port - issue: Update Fortigate, Aruba OSCX and Clearpass templates - issue: When a plugin is disabled, unable to use GUI to enable it again - issue: When upgrading, ensure that replication only runs as necessary - issue: Improve caching and syncing issues with replication - issue: Improve caching techniques for database calls - issue: Improve compatibility for Error constants under PHP 8.4 - issue: When running the upgrade database script, cursor is left in the middle of the row - issue: Guest page does not automatically refresh - issue: When installing, conversion of tables may produce collation errors - feature: Add HPE Nimble/Alletra template - feature: When installing, only convert core cacti tables - Add /srv/www directories to filelist [boo#1231027] - fix for cacti-cron.timer & cacti-cron.service failing after upgrade has already removed - replace cacti-cron.timer & cacti-cron.service with cactid.service to fix thold & other "sub poller" poller processes not running. cacti 1.2.28: - CVE-2024-43365 GHSA-49f2-hwx9-qffr: XSS vulnerability when creating external links with the consolenewsection parameter (bsc#1231372) - CVE-2024-43364 GHSA-fgc6-g8gc-wcg5: XSS vulnerability when creating external links with the title parameter (bsc#1231371) - CVE-2024-43363 GHSA-gxq4-mv8h-6qj4: RCE vulnerability can be executed via Log Poisoning (bsc#1231370) - CVE-2024-43362 GHSA-wh9c-v56x-v77c: XSS vulnerability when creating external links with the fileurl parameter - issue: When using LDAP authentication the first time, warnings may appear in logs - issue: When installing, a replication loop for plugin_realms may occur - issue: When installing, remote poller may attempt to sync with other pollers - issue: When a Data Query has a space, indexes may not be properly escaped - issue: Boost does not always order data source records properly - issue: Add IP address to the login audit for successful logins by xmacan - issue: Undefined variable error may sometimes occur when dealing with RRD output by MSS970 - issue: When export to CSV, only the first line of notes is included - issue: When rendering forms, missing default value can cause errors - issue: Allow hosted content to be executable for the links page - issue: When closing database connections, some may linger incorrectly - issue: When changing passwords, an infinite loop may occur by ddb4github - issue: When using Cacti Daemon, a "Cron out of sync" message may be reported - issue: Add ability to filter/sort users by group or last login time - issue: When using List View, unable to add Graphs to a Report - issue: When using SNMPv3, some devices may show polling issues - issue: Limit table conversion to Cacti core tables - issue: Fix issues with posix-based kills on Windows - issue: When installing, password changes may fail on new installations - issue: When using structured RRD folders, permission issues may be flagged incorrectly - issue: When unable to locate a valid theme, new default will be Modern - issue: Properly cache the data source information for dsstats processing - issue: When reindexing, verify all fields may not work as intended - feature: Add ability to log database connections/disconnections - feature: Add Ping Method where connection refused assumes host is up - feature: When displaying graphs, default end time does not show full 24 hour period - feature: Add --id to remove_device.php - feature: Add Location and Site to Graph List View - feature: Add more verbose logging to Boost - feature: Update jQuery to 3.7.1 - feature: Update jQueryUI to 1.14.0 - feature: Update Purify.js to 3.1.6 - feature: Update billboard.js to 3.13.0 - feature: Improve the performance of the repopulation of the poller cache Changes in cacti-spine: cacti-spine 1.2.30: - no changes - Bump/rebuild to match Cacti 1.2.30 cacti-spine 1.2.28: - When using Ping or SNMP Uptime, host is not always detected properly - Add Ping Method where connection refused assumes host is up </description> </patchinfo>
