Ubuntu
cacti package

Security uploads for cacti (trusty and xenial)

Bug #1663891 reported by Paul Gevers
266
This bug affects 2 people
Affects Status Importance Assigned to Milestone
cacti (Ubuntu)
Fix Released
Medium
Unassigned
Nominated for Precise by Mathew Hodson
Trusty
Fix Released
High
Unassigned
Xenial
Fix Released
Medium
Unassigned

Bug Description

Since the last uploads in security upload in Trusty and the last upload in Xenial, multiple CVE's have been reported against cacti.

Please upload the attached debdiff's to fix all open issues in Trusty and Xenial. Because the state in Debian's LTS Wheezy is similar to Trusty, I applied all the changes since the last common change-set. For Xenial, I based the changes on Jessie's stable uploads.

To be perfectly clear, I did verify that all the patches apply cleanly (and build cleanly on debomatic, although that doesn't say much for a php package), but I haven't verified functionality as I could bring myself to do that for Ubuntu (I already did that too often for the Debian packages). But because this all is php and the patches are already exposed in Debian for an extremely long time, I don't see much risk (please judge yourself though).

Tags: trusty xenial
Revision history for this message
Paul Gevers (paul-climbing) wrote :
Revision history for this message
Paul Gevers (paul-climbing) wrote :
Revision history for this message
Paul Gevers (paul-climbing) wrote :

typo: "I could bring myself" -> "I couldn't bring myself"

Revision history for this message
Paul Gevers (paul-climbing) wrote :

And just in case somebody is going to test the packages, the latest versions of cacti have an autopkgtest suite that can be used. This doesn't work out of the box, because the password framework is too new (the password is admin/admin in old version), but getting it running should be straight forward.

Mathew Hodson (mhodson)
information type: Public → Public Security
Changed in cacti (Ubuntu Xenial):
importance: Undecided → Medium
Changed in cacti (Ubuntu Trusty):
importance: Undecided → High
Mathew Hodson (mhodson)
Changed in cacti (Ubuntu):
status: New → Fix Released
importance: Undecided → Medium
tags: removed: security
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in cacti (Ubuntu Trusty):
status: New → Confirmed
Changed in cacti (Ubuntu Xenial):
status: New → Confirmed
Revision history for this message
Paul Gevers (paul-climbing) wrote :

For what is it worth and as mentioned on IRC, I am not interested in fixing precise. Too much effort for too little gain as it will reach EOL soon and my patches in bug 1210822 aren't even used after more than 1.5 years.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks Paul!

I overlooked the missing bug number in the changelogs so launchpad won't automatically close this with useful information; here's the links for the future:

https://launchpad.net/ubuntu/+source/cacti/0.8.8f+ds1-4ubuntu4.16.04.2
https://launchpad.net/ubuntu/+source/cacti/0.8.8b+dfsg-5ubuntu0.2

Changed in cacti (Ubuntu Trusty):
status: Confirmed → Fix Released
Changed in cacti (Ubuntu Xenial):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.