Ubuntu
cacti package

lp://staging/ubuntu/feisty-security/cacti

  1. Feisty (7.04)
  2. feisty-security
Created by James Westby and last modified
Get this branch:
bzr branch lp://staging/ubuntu/feisty-security/cacti
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Development

Recent revisions

14. By Jamie Strandboge

debian/patches/11_CVE-2008-0783_CVE-2008-0784_regression.dpatch: fix
'Invalid PHP_SELF Path' regression (LP: #194687)

13. By Stephan Rügamer

* SECURITY UPDATE: (LP: #192199)
  + CVE-2008-0783: Multiple cross-site scripting (XSS) vulnerabilities in
    Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k allow remote attackers to
    inject arbitrary web script or HTML via the (1) view_type parameter to
    graph.php, (2) filter parameter to graph_view.php, and (3) action and
    login_username parameters to index.php/login.
  + CVE-2008-0784: graph.php in Cacti 0.8.7 before 0.8.7b and 0.8.6 before
    0.8.6k allows remote attackers to obtain the full path via an invalid
    local_graph_id parameter and other unspecified vectors.
* debian/patches/11_CVE-2008-0783_CVE-2008-0784.dpatch: applied patch by
  upstream. (backported from 0.8.6j)
  (Link: http://www.cacti.net/downloads/patches/0.8.6j/multiple_vulnerabilities-0.8.6j.patch)
* References:
  CVE-2008-0783
  CVE-2008-0784

12. By Stephan Rügamer

* SECURITY UPDATE: (LP: #164072)
  + CVE-2007-6035: SQL injection vulnerability in Cacti before 0.8.7a allows
    remote attackers to execute arbitrary SQL commands via unspecified
    vectors.
  + CVE-2007-3112: Cacti 0.8.6i, and possibly other versions, allows remote
    authenticated users to cause a denial of service (CPU consumption) via a large
    value of the (1) graph_start or (2) graph_end parameter.
  + CVE-2007-3113: Cacti 0.8.6i, and possibly other versions, allows remote
    authenticated users to cause a denial of service (CPU consumption) via a large
    value of the (1) graph_height or (2) graph_width parameter.
* debian/patches/10_CVE-2007-6035.dpatch: applied patch by upstream
  (Link: http://www.cacti.net/downloads/patches/0.8.6j/sec_sql_injection-0.8.6j.patch)
* debian/patches/10_CVE-2007-3112+CVE-2007-3113.dpatch:
  - Applied patch by upstream
  - Link: http://svn.cacti.net/cgi-bin/viewvc.cgi/cacti/branches/0.8.7/graph_image.php?r1=3898&r2=3956&view=patch
* References:
  CVE-2007-6035
  CVE-2007-3112
  CVE-2007-3113

11. By sean finney <email address hidden>

* include the list of official patches from upstream which (among other
  things) resolves multiple vulnerabilities in the poller and default
  scripts (Closes: 404818). thanks to Alex de Oliveira Silva for reporting
  this, and Neil McGovern for a bit of consultation.
* security references:
  - SA23528, CVE-2006-6799
* also include one extra changeset from svn which fixes a regression
  introduced in the security patch.
* new patches:
  - 07_official_dec06-vulnerability-scripts-0.8.6i.dpatch
  - 07_official_dec06-vulnerability-poller-0.8.6i.dpatch
  - 07_official_poller_output_remainder.dpatch
  - 07_official_import_template_argument_space_removal.dpatch
  - 08_svn_timespan_breakage_fix.dpatch

10. By sean finney <email address hidden>

let cacti know where the cactid binary is, since it doesn't
seem to have a reasonable default an longer.

9. By sean finney <email address hidden>

* official patch from upstream to fix database corruption and display some
  users were having as a result of the differing version of adodb
  in debian vs. the bundled version in cacti. thanks to the upstream
  authors for their help addressing the issue, and to Rene Cunningham
  for testing out the initial version of the patch.
  (closes: #364391, #351342)
* added note to README.Debian about potential unmet dependencies in
  mixed php4/php5 environments (thanks to Uwe Storbeck), and also
  about checking the cli configuration for the required modules (thanks
  to Troy Poppe), and also about potential problems with the cli
  poller and safe_mode (thanks to Birger Brunswiek) (closes: #359964).
* update package description to mention that it's likely that mysql-server
  should also be installed unless cacti is to be configured against a
  remote database system (closes: #349754).
* added a note to README.Debian about the initial user/pass, at the
  suggestion of Jonas Genannt, thanks. (closes: #352724).
* changed package dependencies to list apache2 as the first of the
  series of apache-providing packages, and likewise reordered the
  php/apache modules (closes: #356843).
* updated version of 08_official-mysql_5x_strict.dpatch which fixes
  the breakage in ldap authentication reported by Matt Clauson, thanks.
  (closes: #354663)

8. By Steve Kowalik

Install apache2 by default. (Malone: #29008)

7. By Daniel T Chen

debian/control: Add missing Depends on dbconfig-common.

6. By Daniel T Chen

Resynchronise with Debian.

5. By Stephan Rügamer

Resynchronise with Debian.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp://staging/ubuntu/karmic/cacti
This branch contains Public information 
Everyone can see this information.

Subscribers