Cacti 0.8.7b and 0.8.6k release - IMPORTANT SECURITY UPDATES

fmangeant · Post by **fmangeant** » Tue Feb 12, 2008 5:39 am

Important Security Fixes for Cacti

Multiple security vulnerabilities have been discovered in Cacti's web interface:

XSS vulnerabilities
Path disclosure vulnerabilities
SQL injection vulnerabilities
HTTP response splitting vulnerabilities

All the above issues have been addressed in a new release of Cacti:

0.8.7b - http://www.cacti.net/downloads/cacti-0.8.7b.tar.gz
0.8.6k - http://www.cacti.net/downloads/cacti-0.8.6k.tar.gz

Patches for the following versions are available at:

0.8.7a - http://www.cacti.net/download_patches.p ... ion=0.8.7a
0.8.6j - http://www.cacti.net/download_patches.p ... ion=0.8.6j

mcutting · Post by **mcutting** » Tue Feb 12, 2008 6:19 am

Will there be any pre-patched files for Windows users with 0.8.7a ?

Thanks

Post by **TheWitness** » Tue Feb 12, 2008 7:12 am

Please note that Jimmy will have to release a corresponding Plugin Architecture to go with this release.

Regards,

TheWitness

mcutting · Post by **mcutting** » Tue Feb 12, 2008 7:13 am

Thanks Larry - I was going to ask about that as well...

Post by **TheWitness** » Tue Feb 12, 2008 7:16 am

Jimmy is pretty busy, but should be able to nock this out. If not, one of us can package it.

Regards,

TheWitness

Howie · Post by **Howie** » Tue Feb 12, 2008 2:55 pm

To clarify - are the patches above to fix the specific security issues or to upgrade to 0.8.7b?

It might be easier for me to stick with 0.8.7a at the moment since my Cacti is pretty hacked about in places

Post by **rony** » Tue Feb 12, 2008 3:08 pm

Patches are just for security issues.

fmangeant · Post by **fmangeant** » Tue Feb 12, 2008 3:11 pm

Howie wrote:It might be easier for me to stick with 0.8.7a at the moment since my Cacti is pretty hacked about in places

Same for me... I upgraded by hand my 0.8.6j & 0.8.7a servers this morning.

Post by **TheWitness** » Tue Feb 12, 2008 8:39 pm

Howie wrote:To clarify - are the patches above to fix the specific security issues or to upgrade to 0.8.7b?

It might be easier for me to stick with 0.8.7a at the moment since my Cacti is pretty hacked about in places

Howie,

Is there anything I can do to stop the bleeding on your part?

Larry

fmangeant · Post by **fmangeant** » Wed Feb 13, 2008 2:58 am

Plugin Architecture 2.0 for Cacti 0.8.7b is out : http://forums.cacti.net/viewtopic.php?t=25766

Howie · Post by **Howie** » Wed Feb 13, 2008 3:26 am

TheWitness wrote: Is there anything I can do to stop the bleeding on your part?

Larry

Nope. Like fmangeant, I applied the patches, although I had to make some of the changes manually. Luckily there aren't too many of them

Looking at the 'b' changelog, I think quite a few of my tweaks are in the main code now, so I need to work out what's left, and merge that back into 'b' I guess, so I can upgrade properly. It's all UI sanding and polishing though, nothing structural.

Post by **TheWitness** » Wed Feb 13, 2008 6:45 am

Well, please let me know if there is anything we missed. We can do 0.8.7b patches...

Larry

mcutting · Post by **mcutting** » Thu Feb 14, 2008 9:01 am

HELP !!!

I managed to get the PIA working on 0.8.7b, but now have

CMDPHP: Poller[0] ERROR: A DB Exec Failed!, Error:'1064', SQL:"REPLACE INTO settings (name, value) VALUES ('url_path', 'Cacti\')'

In the logs every 10 seconds - I have set the url_path variable in plugins.php as suggested, and everything seems to work, with the exception of this error.

Any ideas ?

fmangeant · Post by **fmangeant** » Thu Feb 14, 2008 9:02 am

Hi

please post in the plugin arch forum.

andrew2 · Post by **andrew2** » Thu Feb 14, 2008 9:15 am

Am I safe to assume those of us using web-basic authentication exclusively are safe from the security issues? (Assuming of course that authenticated users are trustworthy

)

Andrew

Cacti 0.8.7b and 0.8.6k release - IMPORTANT SECURITY UPDATES

Cacti 0.8.7b and 0.8.6k release - IMPORTANT SECURITY UPDATES

Who is online