openSUSE-SU-2022:10170-1: moderate: Security update for cacti, cacti-spine
openSUSE Security Update: Security update for cacti, cacti-spine
______________________________________________________________________________
Announcement ID: openSUSE-SU-2022:10170-1
Rating: moderate
References: #1203952
Affected Products:
SUSE Linux Enterprise High Performance Computing 12
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 12-SP3
SUSE Linux Enterprise Server 12-SP4
SUSE Linux Enterprise Server 12-SP5
SUSE Linux Enterprise Server for SAP Applications 12
SUSE Linux Enterprise Server for SAP Applications 12-SP3
SUSE Linux Enterprise Server for SAP Applications 12-SP4
SUSE Linux Enterprise Server for SAP Applications 12-SP5
SUSE Package Hub for SUSE Linux Enterprise 12
openSUSE Backports SLE-15-SP3
openSUSE Backports SLE-15-SP4
______________________________________________________________________________
An update that contains security fixes can now be installed.
Description:
This update for cacti, cacti-spine fixes the following issues:
cacti-spine 1.2.22, delivering a number of bug fixes:
* When polling time is exceed, spine does not always exit as expected
* Spine logging at `-V 5` includes an extra line feed
* Incorrect SNMP responses can cause spine to crash
* Properly handle devices that timeout responding to the Extended Uptime
* MariaDB can cause spine to abort prematurely despite error handling
* Spine should log the error time when exiting via signal
cacti-spine 1.2.21:
* Disable DES if Net-SNMP doesn't have it
cacti 1.2.22, providing one security fix, a number of bug fixes and a
collection of improvements:
* When creating new graphs, cross site injection is possible (boo#1203952)
* When creating user from template, multiple Domain FullName and Mail are
not propagated
* Nectar Aggregate 95th emailed report broken
* Boost may not find archive tables correctly
* Users may be unable to change their password when forced during a login
* Net-SNMP Memory Graph Template has Wrong GPRINT
* Search in tree view unusable on larger installations
* Increased bulk insert size to avoid partial inserts and potential data
loss.
* Call to undefined function boost_debug in Cacti log
* When no guest template is set, login cookies are not properly set
* Later RRDtool releases do not need to check last_update time
* Regex filters are not always long enough
* Domains based LDAP and AD Fullname and Email not auto-populated
* Cacti polling and boost report the wrong number of Data Sources when
Devices are disabled
* When editing Graph Template Items there are cases where VDEF's are
hidden when they should be shown
* Database SSL setting lacks default value
* Update default path cacti under *BSD by xmacan
* Web Basic authentication not creating template user
* Unable to change the Heartbeat of a Data Source Profile
* Tree Search Does Not Properly Search All Trees
* When structured paths are setup, RRDfiles may not always be created when
possible
* When parsing the logs, caching would help speed up processing
* Deprecation warnings when attempting real-time Graphs with PHP8.1
* Custom Timespan is lost when clicking other tree branches
* Non device based Data Sources not being polled
* When Resource XML file inproperly formatted, graph creation can fail
with errors
* Update code style to support PHP 8 requirements
* None" shows all graphs
* Realtime popup window experiences issues on some browsers
* Auth settings do not always properly reflect the options selected by
ddb4github
* MySQL can cause cacti to become stalled due to locking issues
* Boost process can get hung under rare conditions until the poller times
out
* Exporting graphs under PHP 8 can cause errors
* Host table has wrong default for disabled and deleted columns
* RRD storage paths do not scale properly
* When importing, make it possible to only import certain components
* Update change_device script to include new features by bmfmancini
* Make help pages use latest online version wherever possible
* Cacti should show PHP INI locations during install
* Detect PHP INI values that are different in the INI vs running config
* Added Gradient Color support for AREA charts by thurban
* Update CDEF functions for RRDtool
* When boost is running, it's not clear which processes are running and
how long they have to complete
cacti 1.2.21:
* Add a CLI script to install/enable/disable/uninstall plugins
* Add log message when purging DS stats and poller repopulate
* A collection of bug fixes
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP4:
zypper in -t patch openSUSE-2022-10170=1
- openSUSE Backports SLE-15-SP3:
zypper in -t patch openSUSE-2022-10170=1
- SUSE Package Hub for SUSE Linux Enterprise 12:
zypper in -t patch openSUSE-2022-10170=1
Package List:
- openSUSE Backports SLE-15-SP4 (aarch64 i586 ppc64le s390x x86_64):
cacti-spine-1.2.22-bp154.2.3.1
cacti-spine-debuginfo-1.2.22-bp154.2.3.1
cacti-spine-debugsource-1.2.22-bp154.2.3.1
- openSUSE Backports SLE-15-SP4 (noarch):
cacti-1.2.22-bp154.2.3.1
- openSUSE Backports SLE-15-SP3 (aarch64 i586 ppc64le s390x x86_64):
cacti-spine-1.2.22-bp153.2.12.1
- openSUSE Backports SLE-15-SP3 (noarch):
cacti-1.2.22-bp153.2.12.1
- SUSE Package Hub for SUSE Linux Enterprise 12 (aarch64 ppc64le s390x x86_64):
cacti-spine-1.2.22-23.1
- SUSE Package Hub for SUSE Linux Enterprise 12 (noarch):
cacti-1.2.22-29.1
References:
https://bugzilla.suse.com/1203952
A cacti, cacti-spine security update has been released for SUSE Linux Enterprise.