SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for cacti-1.2.27-162.5.noarch.rpm :

* Tue May 14 2024 Andreas Stieger - cacti 1.2.27:
* CVE-2024-34340: Authentication Bypass when using using older password hashes (boo#1224240)
* CVE-2024-25641: RCE vulnerability when importing packages (boo#1224229)
* CVE-2024-31459: RCE vulnerability when plugins include files (boo#1224238)
* CVE-2024-31460: SQL Injection vulnerability when using tree rules through Automation API (boo#1224239)
* CVE-2024-29894: XSS vulnerability when using JavaScript based messaging API (boo#1224231)
* CVE-2024-31458: SQL Injection vulnerability when using form templates (boo#1224241)
* CVE-2024-31444: XSS vulnerability when reading tree rules with Automation API (boo#1224236)
* CVE-2024-31443: XSS vulnerability when managing data queries (boo#1224235)
* CVE-2024-31445: SQL Injection vulnerability when retrieving graphs using Automation API (boo#1224237)
* CVE-2024-27082: XSS vulnerability when managing trees (boo#1224230)
* Improve PHP 8.3 support
* When importing packages via command line, data source profile could not be selected
* When changing password, returning to previous page does not always work
* When using LDAP authentication the first time, warnings may appear in logs
* When editing/viewing devices, add IPv6 info to hostname tooltip
* Improve speed of polling when Boost is enabled
* Improve support for Half-Hour time zones
* When user session not found, device lists can be incorrectly returned
* On import, legacy templates may generate warnings
* Improve support for alternate locations of Ping
* Improve PHP 8.1 support for Installer
* Fix issues with number formatting
* Improve PHP 8.1 support when SpikeKill is run first time
* Improve PHP 8.1 support for SpikeKill
* When using Chinese to search for graphics, garbled characters appear.
* When importing templates, preview mode will not always load
* When remote poller is installed, MySQL TimeZone DB checks are not performed
* When Remote Poller installation completes, no finish button is shown
* Unauthorized agents should be recorded into logs
* Poller cache may not always update if hostname changes
* When using CMD poller, Failure and Recovery dates may have incorrect values
* Saving a Tree can cause the tree to become unpublished
* Web Basic Authentication does not record user logins
* When using Accent-based languages, translations may not work properly
* Fix automation expressions for device rules
* Improve PHP 8.1 Support during fresh install with boost
* Add a device \"enabled/disabled\" indicator next to the graphs
* Notify the admin periodically when a remote data collector goes into heartbeat status
* Add template for Aruba Clearpass
* Add fliter/sort of Device Templates by Graph Templates
* Mon Feb 26 2024 Dominique Leuenberger - Use %autosetup macro. Allows to eliminate the usage of deprecated PatchN.
* Sun Dec 24 2023 Andreas Stieger - cacti 1.2.26:
* CVE-2023-50250: XSS vulnerability when importing a template file (boo#1218380)
* CVE-2023-49084: RCE vulnerability when managing links (boo#1218360)
* CVE-2023-49085: SQL Injection vulnerability when managing poller devices (boo#1218378)
* CVE-2023-49086: XSS vulnerability when adding new devices (boo#1218366)
* CVE-2023-49088: XSS vulnerability when viewing data sources in debug mode (boo#1218379)
* CVE-2023-51448: SQL Injection vulnerability when managing SNMP Notification Receivers (boo#1218381)
* When viewing data sources, an undefined variable error may be seen
* Improvements for Poller Last Run Date
* Attempting to edit a Data Query that does not exist throws warnings and not an GUI error
* Improve PHP 8.1 support when adding devices
* Viewing Data Query Cache can cause errors to be logged
* Preserve option is not properly honoured when removing devices at command line
* Infinite recursion is possible during a database failure
* Monitoring Host CPU\'s does not always work on Windows endpoints
* Multi select drop down list box not rendered correctly in Chrome and Edge
* Selective Plugin Debugging may not always work as intended
* During upgrades, Plugins may be falsely reported as incompatible
* Plugin management at command line does not work with multiple plugins
* Improve PHP 8.1 support for incrementing only numbers
* Allow the renaming of guest and template accounts
* DS Stats issues warnings when the RRDfile has not been initialized
* When upgrading, missing data source profile can cause errors to be logged
* When deleting a single Data Source, purge historical debug data
* Improvements to form element warnings
* Some interface aliases do not appear correctly
* Aggregate graph does not show other percentiles
* Settings table updates for large values reverted by database repair
* When obtaining graph records, error messages may be recorded
* Unable to change a device\'s community at command line
* Increase timeout for RRDChecker
* When viewing a graph, option to edit template may lead to incorrect URL
* When upgrading, failures may occur due to missing color table keys
* On installation, allow a more appropriate template to be used as the default
* When data input parameters are allowed to be null, allow null
* CSV Exports may not always output data correctly
* When debugging a graph, long CDEF\'s can cause undesirable scrolling
* Secondary LDAP server not evaluated when the first one has failed
* When adding a device, using the bulk walk option can make version information appear
* When parsing a Data Query resource, an error can be reported if no direction is specified
* Database reconnection can cause errors to be reported incorrectly
* fix returned value if $sau is empty
* Add Aruba switch, Aruba controller and HPE iLO templates
* Add OSCX 6x00 templates
* Wed Sep 06 2023 Andreas Stieger - cacti 1.2.25:
* CVE-2023-30534: Protect against Insecure deserialization of filter data (boo#1215082)
* CVE-2023-39360: Cross-Site Scripting vulnerability when creating new graphs (boo#1215044)
* CVE-2023-39361: Unauthenticated SQL Injection when viewing graphs (boo#1215045)
* CVE-2023-39357: SQL Injection when saving data with sql_save() (boo#1215040)
* CVE-2023-39362: Authenticated command injection when using SNMP options (boo#1215047)
* CVE-2023-39359: Authenticated SQL injection vulnerability when managing graphs (boo#1215043)
* CVE-2023-39358: Authenticated SQL injection vulnerability when managing reports (boo#1215042)
* CVE-2023-39365: SQL Injection when using regular expressions (boo#1215051)
* CVE-2023-39364: redirect in change password functionality (boo#1215050)
* CVE-2023-39366: Cross-Site Scripting vulnerability with Device Name when managing Data Sources (boo#1215052)
* CVE-2023-39510: Cross-Site Scripting vulnerability with Device Name when administrating Reports (boo#1215053)
* CVE-2023-39511: Cross-Site Scripting vulnerability with Device Name when editing Graphs whilst managing Reports (boo#1215081)
* CVE-2023-39512: Cross-Site Scripting vulnerability with Device Name when managing Data Sources (boo#1215054)
* CVE-2023-39513: Cross-Site Scripting vulnerability with Device Name when debugging data queries (boo#1215055)
* CVE-2023-39514: Cross-Site Scripting vulnerability with Data Source Name when managing Graphs (boo#1215056)
* CVE-2023-39515: Cross-Site Scripting vulnerability with Data Source Name when debugging Data Queries (boo#1215058)
* CVE-2023-39516: Cross-Site Scripting vulnerability with Data Source Information when managing Data Sources (boo#1215059)
* When rebuilding the Poller Cache from command line, allow it to be multi-threaded
* When searching tree or list views, the URL does not update after changes
* When creating a Data Source Template with a specific snmp port, the port is not always applied
* When a Data Query references a file, the filename should be trimmed to remove spurious spaces
* THold plugin may not always install or upgrade properly
* RRD file structures are not always updated properly, if there are more Data Sources in the Data Template than the Graph Template
* When reindexing devices, errors may sometimes be shown
* Boost may loose data when the database server is overloaded
* Boost can sometimes output unexpected or invalid values
* Boost should not attempt to start if there are no items to process
* Rebuilding the poller cache does not always work as expected
* Host CPU items may not work poll as expected when on a remote data collector where hmib is also enabled
* When creating new graphs, invalid offset errors may be generated
* When importing packages, SQL errors may be generated
* When managing plugins from command line, the --plugin option is not properly handled
* When automating an install of Cacti, error messages can be appear
* When performing automated install of a plugin, warnings can be thrown
* Automation references the wrong table name causing errors
* Data Source Info Mode produces invalid recommendations
* Data Source Debug \'Run All\' generates too many log messages
* The description of rebuild poller cache in utilities does not display properly
* When reindexing a device, debug information may not always display properly
* Upon displaying a form with errors, the session error fields variable isn\'t cleared
* MariaDB clusters will no longer support exclusive locks
* RRDtool can fail to update when sources in Data Template and Graph Template data sources do not match
* Compatibility improvements for Boost under PHP 8.x
* When searching the tree, increase the time before querying for items
* Device Location drop down does not always populate correctly
* When viewing Realtime graphs, undefined variable errors may be reported
* SNMP Uptime is not always ignored for spikekills
* Improve detection of downed Devices
* When reporting missing functions from Plugins, ensure messages do not occur too often
* When starting the Cacti daemon, database errors may be reported when there is no problem
* When reporting from RRDcheck, ensure prefix is in the correct casing
* Improve Orphaned Data Source options and display
* Parsing the PHP Configuration may sometimes produce errors
* Security processes attempt to check for a user lockout even if there is no user logged in
* When attempting to edit a tree, the search filter for Graphs remains disabled
* When reindexing, a Data Source that could be un-orphaned may not always be unorphaned
* When parsing a date value, there could be more than 30 chars
* Untemplated Data Sources can fail to update due to lack of an assigned Graph
* When processing items to check, do not include disabled hosts
* When saving a Data Source Template, SQL errors may be reported
* When importing a Template, errors may be recorded
* Some display strings have invalid formatting that cannot be parsed
* When filtering with regular expressions, the \'does not match\' option does not always function as expected
* When enabling a plugin, sometimes it can appear as if nothing happens
* Ensure the Rows Per Page option shows limitations set by configuration
* Plugins are unable to modify fields in the setting \'Change Device Settings\'
* When reporting emails being sent, ensure BCC addresses are also included
* Improve compatibility of SNMP class trim handling under PHP 8.x
* When importing legacy Data Query Templates, the Template can become unusable
* Provide ability to raise an event when extending the settings form
* Prevent unsupported SQL Mode flags from being set
* The DSStats summary does not always display expected values
* When performing a fresh install, device classification may be missing.
* Duplication functions for Graph/Template and Data Source/Template do not return and id
* Duplication of Device Templates should be an API call
* Unable to convert database to latin1 instead of utf8 if desired
* When creating Graphs, the process may become slower over time as more items exist
* When a bulk walk size is set to automatic, this is not always set to the optimal value
* Update copyright notice on import packages
* When viewing Orphan Graphs, SQL errors may be reported
* When reindexing hosts from command line, ensure only one process runs at once
* When a Data Query has no Graphs, it may not be deletable
* When duplicating a Graph Template, provide an option to not duplicate Data Query association
* When duplicating a Data Template errors can appear in the Cacti log
* When importing a Package, previewing makes unexpected changes to Cacti Templates
* When enabling boost on a fresh install, an error may be reported
* Improve compatibility for backtrace logging under PHP 8.x
* Improve compatibility for Advanced Ping under PHP 8.x
* Provide new templates for Fortigate and Aruba Cluster to be available during install
* Provide new template for SNMP Printer to be available during install
* When importing devices, allow a device classification to be known
* Extend length of maximum name in settings table
* Extend length of maximum name in user settings table
* Data Queries do not have a Duplication function
* Upgrade d3.js v7.8.2 and billboard.js v3.7.4
* Upgrade ua-parser.js to version 1.0.35
* Update Cisco Device Template to include HSRP graph template
* New hook for device template change \'device_template_change\'
* Mon Feb 27 2023 Andreas Stieger - cacti 1.2.24
* Fix: Unable to import Local Linux Machine template
* Fix multiple charting and display issues
* Compatibility changes for SNMP under PHP 8.2, and other PHP compatibility updates
* Fix multiple issues editing settings
* timeout fixes for Basic Auth
* multiple data poller bug fixes
* Mon Jan 02 2023 Andreas Stieger - cacti 1.2.23, providing security fixes, feature improvements and bug fixes:
* CVE-2022-46169: Unauthenticated Command Injection in Remote Agent (boo#1206185)
* Security: Add .htaccess file to scripts folder
* When using Single Sign-on Frameworks, revocation was not always detected in callbacks
* Fixes to the installer, and compatibility with PHP and MySQL
* Performance improvements for certain conditions
* Various UI fixes
* Bug fixes related to SNMP, RRDtools, and agents
* Sun Oct 02 2022 Andreas Stieger - cacti 1.2.22, providing one security fix, a number of bug fixes and a collection of improvements:
* When creating new graphs, cross site injection is possible (boo#1203952)
* When creating user from template, multiple Domain FullName and Mail are not propagated
* Nectar Aggregate 95th emailed report broken
* Boost may not find archive tables correctly
* Users may be unable to change their password when forced during a login
* Net-SNMP Memory Graph Template has Wrong GPRINT
* Search in tree view unusable on larger installations
* Increased bulk insert size to avoid partial inserts and potential data loss.
* Call to undefined function boost_debug in Cacti log
* When no guest template is set, login cookies are not properly set
* Later RRDtool releases do not need to check last_update time
* Regex filters are not always long enough
* Domains based LDAP and AD Fullname and Email not auto-populated
* Cacti polling and boost report the wrong number of Data Sources when Devices are disabled
* When editing Graph Template Items there are cases where VDEF\'s are hidden when they should be shown
* Database SSL setting lacks default value
* Update default path cacti under
*BSD by xmacan
* Web Basic authentication not creating template user
* Unable to change the Heartbeat of a Data Source Profile
* Tree Search Does Not Properly Search All Trees
* When structured paths are setup, RRDfiles may not always be created when possible
* When parsing the logs, caching would help speed up processing
* Deprecation warnings when attempting real-time Graphs with PHP8.1
* Custom Timespan is lost when clicking other tree branches
* Non device based Data Sources not being polled
* When Resource XML file inproperly formatted, graph creation can fail with errors
* Update code style to support PHP 8 requirements
* None\" shows all graphs
* Realtime popup window experiences issues on some browsers
* Auth settings do not always properly reflect the options selected by ddb4github
* MySQL can cause cacti to become stalled due to locking issues
* Boost process can get hung under rare conditions until the poller times out
* Exporting graphs under PHP 8 can cause errors
* Host table has wrong default for disabled and deleted columns
* RRD storage paths do not scale properly
* When importing, make it possible to only import certain components
* Update change_device script to include new features by bmfmancini
* Make help pages use latest online version wherever possible
* Cacti should show PHP INI locations during install
* Detect PHP INI values that are different in the INI vs running config
* Added Gradient Color support for AREA charts by thurban
* Update CDEF functions for RRDtool
* When boost is running, it\'s not clear which processes are running and how long they have to complete
* Sun May 29 2022 Andreas Stieger - cacti 1.2.21:
* Add a CLI script to install/enable/disable/uninstall plugins
* Add log message when purging DS stats and poller repopulate
* A collection of bug fixes
* Fri Apr 22 2022 Ferdinand Thiessen - Update to 1.2.20
* Security fix for CVE-2022-0730, boo#1196692 Under certain ldap conditions, Cacti authentication can be bypassed with certain credential types.
* Security fix: Device, Graph, Graph Template, and Graph Items may be vulnerable to XSS issues
* Security fix: Lockout policies are not properly applied to LDAP and Domain Users
* Security fix: When using \'remember me\' option, incorrect realm may be selected
* Security fix: User and Group maintenance are vulnerable to SQL attacks
* Security fix: Color Templates are vulnerable to XSS attack
* Features:
* When creating a Data Source Profile, allow additional choices for Heartbeat
* Change select all options to use Font Awesome icons
* Improve spine performance by storing the total number of system snmp_ports in use
* Prevent Template User Accounts from being Removed
* When managing by users, allow filtering by Realm
* Allow plugins to supply template account names
* When viewing logs, additional message types should be filterable
* When creating a Graph Template Item, allow filtering by Data Template
* Allow language handler to be selected via UI
* Updated Device packages for Synology, Citrix NetScaler, Cisco ASA/Cisco
* Add Advanced Ping Graph Template to initial Installable templates
* Add LDAP Debug Mode option
* Allow Reports to include devices not on a Tree
* Allow Basic Authentication to display custom failure message
* Fix: When replicating data during installation/upgrade, system may appear to hang
* Fix: Graph Template Items may have duplicated entries
* Fix: Unable to Save Graph Settings
* Fix: Script Server may crash if an OID is missing or unavailable
* Fix: When system-wide polling is disabled, remote pollers may fail to sync changed settings
* Fix: When updating poller name, duplicate name protection may be over zealous
* Fix: Titles may show \"Missing Datasource\" incorectly
* Fix: Checking for MIB Cache can cause crashes
* Fix: Polling cycles may not always complete as expected
* Fix: When viewing graph data, non-numeric values may appear
* Fix: Utilities view has calculation errors when there are no data sources
* Fix: When editing Reports, drag and drop may not function as intended
* Fix: When data drive is full, viewing a Graph can result in errors
* Various other bug fixes
* Sat Nov 06 2021 Andreas Stieger - cacti 1.2.19:
* Further fixes for grave character security protection (boo#1192408)
* Fix Over aggressive escaping causing menu visibility issues on Create Device page
* Add SHA256 and AES256 security levels for SNMP polling
* Import graph template(Preview Only) show color_id new value as a blank area
* Fix Editing graphs errors due to missing sequence
* Fix 2hen hovering over a Tree Graph, row shows same highlighting as Graph Edit screen
* Fix 2hen RealTime is not active, console errors may appear
* Fix race conditions may occur when multiple RRDtool processes are running
* Fix errors creating graphs from templates
* Fix errors when duplicating reports
* Fix Boost may be blocked by overflowing poller_output table
* Fix Template import may be blocked due to unmet dependency warnings with snmp ports
* Fix Newer MySQL versions may error if committing a transaction when not in one
* Fix SNMP Agent may not find a cache item
* Fix Correct issues running under PHP 8.x
* Fix When polling is disabled, boost may crash and creates many arch tables
* Fix When poller runs, memory tables may not always be present
* Fix Timezones may sometimes be incorrectly calculated
* Fix Allow monitoring IPv6 with interface graphs
* Fix When a data source uses a Data Input Method, those without a mapping should be flagged
* Fix When RRDfile is not yet created, errors may appear when displaying the graph
* Fix Cacti missing key indexes that result in Preset pages slowdowns
* Fix Data Sources page shows no name when Data Source has no name cache
* Fix db_update_table function can not alter table from signed to unsigned
* Fix data remains in poller_output table even if it\'s flushed to rrd files
* Fix Parameter list for lib/database.php:db_connect_real() is not correct in 3 places
* Fix Offset is a reserved word in MariaDB 10.6 affecting Report
* Fix Rendering large trees slowed due to lack of permission caching
* Fix Error on interpretation of snmpUtime, when to big
* Fix Applying right axis formatting creates an error-image
* Fix Unable to Save Graph Settings from the Graphs pages
* Fix Graph Template Cache is nullified too often when Graph Automation is running
* Fix When Adding a Data Query to a Device, no Progress Spinner is shown
* Fix New Browser Breaks Plugins that depend on non UTC date time data
* Fix errors when testing remote poller connectivity
* Fix errors when renaming poller
* Fix Removing spikes by Variance does not appear to be working beyond the first RRA
* Fix LDAP API lacks timeout options leading to bad login experiences
* Add a normal/wrap class for general use
* Limit File Types available for Template Import operations
* Fix Cacti does not provide an option of providing a client side certificate for LDAP/AD authentication
* Support Stronger Encryption Available Starting in Net-SNMP v5.8
* Allow Cacti to use multiple possible LDAP servers
* Add a 15 minute polling/sampling interval
* Provide additional admin email notifications
* Add warnings for undesired changes to plugin hook return values
* When creating a Graph, make testing the Data Sources optional by Template
* Update phpseclib to 2.0.33
* Update jstree.js to 3.3.12
* Improve performance of Cacti poller on heavily loaded systems
* MariaDB recommendations need some tuning for recent updates
* Sat Jul 10 2021 Andreas Stieger - cacti 1.2.18:
* CVE-2020-14424: Lack of escaping on template import can lead to XSS exposure under \'midwinter\' theme (boo#1188188)
* Real time graphs can expose XSS issue
* Wed May 05 2021 Andreas Stieger - cacti 1.2.17:
* Fix incorrect handling of fields led to potential XSS issues
* CVE-2020-35701: Fix SQL Injection vulnerability (boo#1180804)
* Fix various XSS issues with HTML Forms handling
* Fix handling of Daylight Saving Time changes
* Multiple fixes and extensions to plugins
* Fix multiple display, export, and input validation issues
* SNMPv3 Password field was not correctly limited
* Improved regular expression handling for searcu
* Improved support for RRDproxy
* Improved behavior on large systems
* MariaDB/MysQL: Support persistent connections and improve multiple operations and options
* Add Theme \'Midwinter\'
* Modify automation to test for data before creating graphs
* Add hooks for plugins to show customize graph source and customize template url
* Allow CSRF security key to be refreshed at command line
* Allow remote pollers statistics to be cleared
* Allow user to be automatically logged out after admin defined period
* When replicating, ensure Cacti can detect and verify replica servers
  
ICM