Body:
Release of Cacti 1.2.10
Thank you everyone who are using Cacti and especially those helping to make Cacti better!
For additional details check out the README located on GitHub.
IMPORTANT: Prior to this release, 1.2.10, a flaw existed which allowed a malicious actor to execute remote code by use of Guest Accounts with Real Time Access.
This can be countered using any of the following:
- Ensure PHP greater than 7.1
- Disabled Guest Account
- Disabled Guest access to Real Time Graphs
- Use Cacti 1.2.10+
Contribute
Active development of Cacti is located on GitHub! Join us in making Cacti better, submit issues, fork and submit pull requests!
Cacti Change Log
- security#3285: When guest users have access to realtime graphs, remote code could be executed (CVE-2020-8813)
- issue#3240: When using User Domains, global template user is used instead of the configured domain template user
- issue#3245: Unix timestamps after Sep 13 2020 are rejected as graph start/end arguments
- issue#3246: When upgrading with remote collectors, sync status does not always return properly
- issue#3250: When PHP memory limit is set to -1, recommendation value fails
- issue#3253: Upgrade can stall when checking permissions on csrf-secret.php
- issue#3254: Installer shows script owner rather than running user for suggested chown command
- issue#3266: When setting User Groups to 'Defer to the User', setting can lead to user being told they have no permissions
- issue#3269: When searching Graphs under a Chinese language, an unexpected error as sometimes shown
- issue#3274: When editing a tree, multiple device drag/drop does not work
- issue#3276: When spine aborts, script server can be left wanting or generating unnecessary logs
- issue#3277: When boost does not find an initial time, numeric errors can be raised
- issue#3281: When changing Graph Template options, incorrect image format may be selected
- issue#3282: Graph's can be sized incorrectly if image is SVG format
- issue#3283: When setting a file path, valid characters not recognised properly
- issue#3287: When using graph template 'Cacti Stats - User Logins', an incorrect count of invalid users can be seen
- issue#3288: When on Device page, pressing 'Go' on the filter caused Device New menu pick to appear
- issue#3289: When using CMD.PHP, poller id is not always shown properly
- issue#3290: When using CMD.PHP, inconsistent device logging levels may occur
- issue#3298: When initialising fields in JavaScript, text/textarea elements have width set to zero if it is hidden by parent by ddb4github
- issue#3302: Editing a Graph Template does not show the Data Template name
http://www.cacti.net/issues.php
Download Cacti
http://www.cacti.net/download_cacti.php
Download Spine
http://www.cacti.net/spine_download.php
Thanks!
The Cacti Group