Cacti 0.8.7b and 0.8.6k release - IMPORTANT SECURITY UPDATES

Important information about Cacti developments that all users should be interested in.

Moderators: Developers, Moderators

User avatar
fmangeant
Cacti Guru User
Posts: 2345
Joined: Fri Sep 19, 2003 8:36 am
Location: Sophia-Antipolis, France
Contact:

Cacti 0.8.7b and 0.8.6k release - IMPORTANT SECURITY UPDATES

Post by fmangeant »

Important Security Fixes for Cacti

Multiple security vulnerabilities have been discovered in Cacti's web interface:
  • XSS vulnerabilities
  • Path disclosure vulnerabilities
  • SQL injection vulnerabilities
  • HTTP response splitting vulnerabilities
All the above issues have been addressed in a new release of Cacti: Patches for the following versions are available at:
[size=84]
[color=green]HOWTOs[/color] :
[list][*][url=http://forums.cacti.net/viewtopic.php?t=15353]Install and configure the Net-SNMP agent for Unix[/url]
[*][url=http://forums.cacti.net/viewtopic.php?t=26151]Install and configure the Net-SNMP agent for Windows[/url]
[*][url=http://forums.cacti.net/viewtopic.php?t=28175]Graph multiple servers using an SNMP proxy[/url][/list]
[color=green]Templates[/color] :
[list][*][url=http://forums.cacti.net/viewtopic.php?t=15412]Multiple CPU usage for Linux[/url]
[*][url=http://forums.cacti.net/viewtopic.php?p=125152]Memory & swap usage for Unix[/url][/list][/size]
mcutting
Cacti Guru User
Posts: 1884
Joined: Mon Oct 16, 2006 5:57 am
Location: United Kingdom
Contact:

Post by mcutting »

Will there be any pre-patched files for Windows users with 0.8.7a ?

Thanks
Cacti Version 0.8.8b
Cacti OS Ubuntu LTS
RRDTool Version RRDTool 1.4.7
Poller Information
Type SPINE 0.8.8b
User avatar
TheWitness
Developer
Posts: 17007
Joined: Tue May 14, 2002 5:08 pm
Location: MI, USA
Contact:

Post by TheWitness »

Please note that Jimmy will have to release a corresponding Plugin Architecture to go with this release.

Regards,

TheWitness
True understanding begins only when we realize how little we truly understand...

Life is an adventure, let yours begin with Cacti!

Author of dozens of Cacti plugins and customization's. Advocate of LAMP, MariaDB, IBM Spectrum LSF and the world of batch. Creator of IBM Spectrum RTM, author of quite a bit of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
GitHub Repository with Supported Plugins
Percona Device Packages (no support)
Interesting Device Packages


For those wondering, I'm still here, but lost in the shadows. Yearning for less bugs. Who want's a Cacti 1.3/2.0? Streams anyone?
mcutting
Cacti Guru User
Posts: 1884
Joined: Mon Oct 16, 2006 5:57 am
Location: United Kingdom
Contact:

Post by mcutting »

Thanks Larry - I was going to ask about that as well...
Cacti Version 0.8.8b
Cacti OS Ubuntu LTS
RRDTool Version RRDTool 1.4.7
Poller Information
Type SPINE 0.8.8b
User avatar
TheWitness
Developer
Posts: 17007
Joined: Tue May 14, 2002 5:08 pm
Location: MI, USA
Contact:

Post by TheWitness »

Jimmy is pretty busy, but should be able to nock this out. If not, one of us can package it.

Regards,

TheWitness
True understanding begins only when we realize how little we truly understand...

Life is an adventure, let yours begin with Cacti!

Author of dozens of Cacti plugins and customization's. Advocate of LAMP, MariaDB, IBM Spectrum LSF and the world of batch. Creator of IBM Spectrum RTM, author of quite a bit of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
GitHub Repository with Supported Plugins
Percona Device Packages (no support)
Interesting Device Packages


For those wondering, I'm still here, but lost in the shadows. Yearning for less bugs. Who want's a Cacti 1.3/2.0? Streams anyone?
User avatar
Howie
Cacti Guru User
Posts: 5508
Joined: Thu Sep 16, 2004 5:53 am
Location: United Kingdom
Contact:

Post by Howie »

To clarify - are the patches above to fix the specific security issues or to upgrade to 0.8.7b?

It might be easier for me to stick with 0.8.7a at the moment since my Cacti is pretty hacked about in places :oops:
Weathermap 0.98a is out! & QuickTree 1.0. Superlinks is over there now (and built-in to Cacti 1.x).
Some Other Cacti tweaks, including strip-graphs, icons and snmp/netflow stuff.
(Let me know if you have UK DevOps or Network Ops opportunities, too!)
User avatar
rony
Developer/Forum Admin
Posts: 6022
Joined: Mon Nov 17, 2003 6:35 pm
Location: Michigan, USA
Contact:

Post by rony »

Patches are just for security issues.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
User avatar
fmangeant
Cacti Guru User
Posts: 2345
Joined: Fri Sep 19, 2003 8:36 am
Location: Sophia-Antipolis, France
Contact:

Post by fmangeant »

Howie wrote:It might be easier for me to stick with 0.8.7a at the moment since my Cacti is pretty hacked about in places :oops:
Same for me... I upgraded by hand my 0.8.6j & 0.8.7a servers this morning.
[size=84]
[color=green]HOWTOs[/color] :
[list][*][url=http://forums.cacti.net/viewtopic.php?t=15353]Install and configure the Net-SNMP agent for Unix[/url]
[*][url=http://forums.cacti.net/viewtopic.php?t=26151]Install and configure the Net-SNMP agent for Windows[/url]
[*][url=http://forums.cacti.net/viewtopic.php?t=28175]Graph multiple servers using an SNMP proxy[/url][/list]
[color=green]Templates[/color] :
[list][*][url=http://forums.cacti.net/viewtopic.php?t=15412]Multiple CPU usage for Linux[/url]
[*][url=http://forums.cacti.net/viewtopic.php?p=125152]Memory & swap usage for Unix[/url][/list][/size]
User avatar
TheWitness
Developer
Posts: 17007
Joined: Tue May 14, 2002 5:08 pm
Location: MI, USA
Contact:

Post by TheWitness »

Howie wrote:To clarify - are the patches above to fix the specific security issues or to upgrade to 0.8.7b?

It might be easier for me to stick with 0.8.7a at the moment since my Cacti is pretty hacked about in places :oops:
Howie,

Is there anything I can do to stop the bleeding on your part?

Larry
True understanding begins only when we realize how little we truly understand...

Life is an adventure, let yours begin with Cacti!

Author of dozens of Cacti plugins and customization's. Advocate of LAMP, MariaDB, IBM Spectrum LSF and the world of batch. Creator of IBM Spectrum RTM, author of quite a bit of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
GitHub Repository with Supported Plugins
Percona Device Packages (no support)
Interesting Device Packages


For those wondering, I'm still here, but lost in the shadows. Yearning for less bugs. Who want's a Cacti 1.3/2.0? Streams anyone?
User avatar
fmangeant
Cacti Guru User
Posts: 2345
Joined: Fri Sep 19, 2003 8:36 am
Location: Sophia-Antipolis, France
Contact:

Post by fmangeant »

Plugin Architecture 2.0 for Cacti 0.8.7b is out : http://forums.cacti.net/viewtopic.php?t=25766
[size=84]
[color=green]HOWTOs[/color] :
[list][*][url=http://forums.cacti.net/viewtopic.php?t=15353]Install and configure the Net-SNMP agent for Unix[/url]
[*][url=http://forums.cacti.net/viewtopic.php?t=26151]Install and configure the Net-SNMP agent for Windows[/url]
[*][url=http://forums.cacti.net/viewtopic.php?t=28175]Graph multiple servers using an SNMP proxy[/url][/list]
[color=green]Templates[/color] :
[list][*][url=http://forums.cacti.net/viewtopic.php?t=15412]Multiple CPU usage for Linux[/url]
[*][url=http://forums.cacti.net/viewtopic.php?p=125152]Memory & swap usage for Unix[/url][/list][/size]
User avatar
Howie
Cacti Guru User
Posts: 5508
Joined: Thu Sep 16, 2004 5:53 am
Location: United Kingdom
Contact:

Post by Howie »

TheWitness wrote: Is there anything I can do to stop the bleeding on your part?

Larry
Nope. Like fmangeant, I applied the patches, although I had to make some of the changes manually. Luckily there aren't too many of them :-)

Looking at the 'b' changelog, I think quite a few of my tweaks are in the main code now, so I need to work out what's left, and merge that back into 'b' I guess, so I can upgrade properly. It's all UI sanding and polishing though, nothing structural.
Weathermap 0.98a is out! & QuickTree 1.0. Superlinks is over there now (and built-in to Cacti 1.x).
Some Other Cacti tweaks, including strip-graphs, icons and snmp/netflow stuff.
(Let me know if you have UK DevOps or Network Ops opportunities, too!)
User avatar
TheWitness
Developer
Posts: 17007
Joined: Tue May 14, 2002 5:08 pm
Location: MI, USA
Contact:

Post by TheWitness »

Well, please let me know if there is anything we missed. We can do 0.8.7b patches...

Larry
True understanding begins only when we realize how little we truly understand...

Life is an adventure, let yours begin with Cacti!

Author of dozens of Cacti plugins and customization's. Advocate of LAMP, MariaDB, IBM Spectrum LSF and the world of batch. Creator of IBM Spectrum RTM, author of quite a bit of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
GitHub Repository with Supported Plugins
Percona Device Packages (no support)
Interesting Device Packages


For those wondering, I'm still here, but lost in the shadows. Yearning for less bugs. Who want's a Cacti 1.3/2.0? Streams anyone?
mcutting
Cacti Guru User
Posts: 1884
Joined: Mon Oct 16, 2006 5:57 am
Location: United Kingdom
Contact:

Post by mcutting »

HELP !!!

I managed to get the PIA working on 0.8.7b, but now have

CMDPHP: Poller[0] ERROR: A DB Exec Failed!, Error:'1064', SQL:"REPLACE INTO settings (name, value) VALUES ('url_path', 'Cacti\')'

In the logs every 10 seconds - I have set the url_path variable in plugins.php as suggested, and everything seems to work, with the exception of this error.

Any ideas ?
Cacti Version 0.8.8b
Cacti OS Ubuntu LTS
RRDTool Version RRDTool 1.4.7
Poller Information
Type SPINE 0.8.8b
User avatar
fmangeant
Cacti Guru User
Posts: 2345
Joined: Fri Sep 19, 2003 8:36 am
Location: Sophia-Antipolis, France
Contact:

Post by fmangeant »

Hi

please post in the plugin arch forum.
[size=84]
[color=green]HOWTOs[/color] :
[list][*][url=http://forums.cacti.net/viewtopic.php?t=15353]Install and configure the Net-SNMP agent for Unix[/url]
[*][url=http://forums.cacti.net/viewtopic.php?t=26151]Install and configure the Net-SNMP agent for Windows[/url]
[*][url=http://forums.cacti.net/viewtopic.php?t=28175]Graph multiple servers using an SNMP proxy[/url][/list]
[color=green]Templates[/color] :
[list][*][url=http://forums.cacti.net/viewtopic.php?t=15412]Multiple CPU usage for Linux[/url]
[*][url=http://forums.cacti.net/viewtopic.php?p=125152]Memory & swap usage for Unix[/url][/list][/size]
andrew2
Cacti User
Posts: 64
Joined: Mon Jul 26, 2004 2:50 pm
Location: Cincinnati, OH
Contact:

Post by andrew2 »

Am I safe to assume those of us using web-basic authentication exclusively are safe from the security issues? (Assuming of course that authenticated users are trustworthy :wink: )

Andrew
Post Reply

Who is online

Users browsing this forum: No registered users and 4 guests