diff -Nru cacti-0.8.8b+dfsg/debian/changelog cacti-0.8.8b+dfsg/debian/changelog
--- cacti-0.8.8b+dfsg/debian/changelog	2014-08-18 20:04:18.000000000 +0200
+++ cacti-0.8.8b+dfsg/debian/changelog	2015-06-27 21:35:20.000000000 +0200
@@ -1,3 +1,19 @@
+cacti (0.8.8b+dfsg-8ubuntu0.1) utopic-security; urgency=high
+
+  * Security update (LP: #1210822): 
+    - CVE-2015-2665 Cross-site scripting (XSS) vulnerability in Cacti
+      before 0.8.8d allows remote attackers to inject arbitrary web script
+      or HTML via unspecified vectors.
+    - CVE-2015-4342 SQL Injection and Location header injection from cdef
+      id
+    - CVE-2015-4454 SQL injection vulnerability in the
+      get_hash_graph_template function in lib/functions.php in Cacti before
+      0.8.8d allows remote attackers to execute arbitrary SQL commands via
+      the graph_template_id parameter to graph_templates.php.
+    - Unassigned CVE SQL injection VN:JVN#78187936 / TN:JPCERT#98968540
+
+ -- Paul Gevers <elbrus@debian.org>  Sat, 27 Jun 2015 13:37:47 +0200
+
 cacti (0.8.8b+dfsg-8) unstable; urgency=high
 
   * CVE-2014-5261
diff -Nru cacti-0.8.8b+dfsg/debian/patches/CVE-2015-2665_XSS_in_graphs.php.patch cacti-0.8.8b+dfsg/debian/patches/CVE-2015-2665_XSS_in_graphs.php.patch
--- cacti-0.8.8b+dfsg/debian/patches/CVE-2015-2665_XSS_in_graphs.php.patch	1970-01-01 01:00:00.000000000 +0100
+++ cacti-0.8.8b+dfsg/debian/patches/CVE-2015-2665_XSS_in_graphs.php.patch	2015-06-27 21:31:29.000000000 +0200
@@ -0,0 +1,18 @@
+Description: CVE-2015-2665 Cross-site scripting (XSS) vulnerability in Cacti
+ before 0.8.8d allows remote attackers to inject arbitrary web script
+ or HTML via unspecified vectors.
+Source: http://svn.cacti.net/viewvc/cacti/tags/0.8.8d/graphs.php?r1=7716&r2=7717&view=patch
+
+Index: cacti/graphs.php
+===================================================================
+--- cacti.orig/graphs.php
++++ cacti/graphs.php
+@@ -1334,7 +1334,7 @@ function graph() {
+ 			/* we're escaping strings here, so no need to escape them on form_selectable_cell */
+ 			$template_name = ((empty($graph["name"])) ? "<em>None</em>" : htmlspecialchars($graph["name"]));
+ 			form_alternate_row_color($colors["alternate"], $colors["light"], $i, 'line' . $graph["local_graph_id"]); $i++;
+-			form_selectable_cell("<a class='linkEditMain' href='" . htmlspecialchars("graphs.php?action=graph_edit&id=" . $graph["local_graph_id"]) . "' title='" . htmlspecialchars($graph["title_cache"]) . "'>" . ((get_request_var_request("filter") != "") ? preg_replace("/(" . preg_quote(get_request_var_request("filter"), "/") . ")/i", "<span style='background-color: #F8D93D;'>\\1</span>", title_trim(htmlspecialchars($graph["title_cache"]), read_config_option("max_title_graph"))) : title_trim(htmlspecialchars($graph["title_cache"]), read_config_option("max_title_graph"))) . "</a>", $graph["local_graph_id"]);
++			form_selectable_cell("<a class='linkEditMain' href='" . htmlspecialchars("graphs.php?action=graph_edit&id=" . $graph["local_graph_id"]) . "' title='" . htmlspecialchars($graph["title_cache"], ENT_QUOTES) . "'>" . ((get_request_var_request("filter") != "") ? preg_replace("/(" . preg_quote(get_request_var_request("filter"), "/") . ")/i", "<span style='background-color: #F8D93D;'>\\1</span>", title_trim(htmlspecialchars($graph["title_cache"]), read_config_option("max_title_graph"))) : title_trim(htmlspecialchars($graph["title_cache"]), read_config_option("max_title_graph"))) . "</a>", $graph["local_graph_id"]);
+ 			form_selectable_cell($graph["local_graph_id"], $graph["local_graph_id"]);
+ 			form_selectable_cell(((get_request_var_request("filter") != "") ? preg_replace("/(" . preg_quote(get_request_var_request("filter"), "/") . ")/i", "<span style='background-color: #F8D93D;'>\\1</span>", $template_name) : $template_name), $graph["local_graph_id"]);
+ 			form_selectable_cell($graph["height"] . "x" . $graph["width"], $graph["local_graph_id"]);
diff -Nru cacti-0.8.8b+dfsg/debian/patches/CVE-2015-4342_SQL_injection_in_cdef.php.patch cacti-0.8.8b+dfsg/debian/patches/CVE-2015-4342_SQL_injection_in_cdef.php.patch
--- cacti-0.8.8b+dfsg/debian/patches/CVE-2015-4342_SQL_injection_in_cdef.php.patch	1970-01-01 01:00:00.000000000 +0100
+++ cacti-0.8.8b+dfsg/debian/patches/CVE-2015-4342_SQL_injection_in_cdef.php.patch	2015-06-27 21:31:29.000000000 +0200
@@ -0,0 +1,39 @@
+Description: CVE-2015-4342 SQL Injection and Location header injection
+ from cdef id
+Bug: http://bugs.cacti.net/view.php?id=2571
+Source: http://svn.cacti.net/viewvc?view=rev&revision=7719
+
+Index: cacti/lib/functions.php
+===================================================================
+--- cacti.orig/lib/functions.php
++++ cacti/lib/functions.php
+@@ -1987,6 +1987,9 @@ function get_hash_data_input($data_input
+    @arg $sub_type (optional) return the hash for a particlar sub-type of this type
+    @returns - a 128-bit, hexadecimal hash */
+ function get_hash_cdef($cdef_id, $sub_type = "cdef") {
++	if (! is_numeric($cdef_id)) {
++		$cdef_id = -1;
++	}
+ 	if ($sub_type == "cdef") {
+ 		$hash = db_fetch_cell("select hash from cdef where id=$cdef_id");
+ 	}elseif ($sub_type == "cdef_item") {
+Index: cacti/cdef.php
+===================================================================
+--- cacti.orig/cdef.php
++++ cacti/cdef.php
+@@ -107,6 +107,15 @@ function draw_cdef_preview($cdef_id) {
+    -------------------------- */
+ 
+ function form_save() {
++
++	// make sure ids are numeric
++	if (isset($_POST["id"]) && ! is_numeric($_POST["id"])) {
++		$_POST["id"] = 0;
++	}
++	if (isset($_POST["cdef_id"]) && ! is_numeric($_POST["cdef_id"])) {
++		$_POST["cdef_id"] = 0;
++	}
++
+ 	if (isset($_POST["save_component_cdef"])) {
+ 		$save["id"] = $_POST["id"];
+ 		$save["hash"] = get_hash_cdef($_POST["id"]);
diff -Nru cacti-0.8.8b+dfsg/debian/patches/CVE-2015-4454_SQL_injection_in_get_hash_graph_template.patch cacti-0.8.8b+dfsg/debian/patches/CVE-2015-4454_SQL_injection_in_get_hash_graph_template.patch
--- cacti-0.8.8b+dfsg/debian/patches/CVE-2015-4454_SQL_injection_in_get_hash_graph_template.patch	1970-01-01 01:00:00.000000000 +0100
+++ cacti-0.8.8b+dfsg/debian/patches/CVE-2015-4454_SQL_injection_in_get_hash_graph_template.patch	2015-06-27 20:41:30.000000000 +0200
@@ -0,0 +1,24 @@
+Description: CVE-2015-4454 SQL injection vulnerability in the
+ get_hash_graph_template function in lib/functions.php in Cacti before
+ 0.8.8d allows remote attackers to execute arbitrary SQL commands via
+ the graph_template_id parameter to graph_templates.php.
+Bug: http://bugs.cacti.net/view.php?id=2572
+Source: http://svn.cacti.net/viewvc?view=rev&revision=7720
+
+Index: cacti/graph_templates.php
+===================================================================
+--- cacti.orig/graph_templates.php
++++ cacti/graph_templates.php
+@@ -85,6 +85,12 @@ switch ($_REQUEST["action"]) {
+    -------------------------- */
+ 
+ function form_save() {
++
++	// sanitize ids
++	if (isset($_POST["graph_template_id"]) && ! is_numeric($_POST["graph_template_id"])) {
++		$_POST["graph_template_id"] = 0;
++	}
++
+ 	if (isset($_POST["save_component_template"])) {
+ 		$save1["id"] = $_POST["graph_template_id"];
+ 		$save1["hash"] = get_hash_graph_template($_POST["graph_template_id"]);
diff -Nru cacti-0.8.8b+dfsg/debian/patches/CVE-2015-XXXX_SQL_injection_in_tab.patch cacti-0.8.8b+dfsg/debian/patches/CVE-2015-XXXX_SQL_injection_in_tab.patch
--- cacti-0.8.8b+dfsg/debian/patches/CVE-2015-XXXX_SQL_injection_in_tab.patch	1970-01-01 01:00:00.000000000 +0100
+++ cacti-0.8.8b+dfsg/debian/patches/CVE-2015-XXXX_SQL_injection_in_tab.patch	2015-06-27 20:41:30.000000000 +0200
@@ -0,0 +1,20 @@
+Description: Unassigned CVE SQL injection vulnerability
+ reported via VN:JVN#78187936 / TN:JPCERT#98968540
+Source: http://svn.cacti.net/viewvc?view=rev&revision=7718
+
+Index: cacti/settings.php
+===================================================================
+--- cacti.orig/settings.php
++++ cacti/settings.php
+@@ -78,6 +78,11 @@ case 'save':
+ default:
+ 	include("./include/top_header.php");
+ 
++	/* clean up tab string */
++	if (isset($_REQUEST['tab'])) {
++		$_REQUEST['tab'] = sanitize_search_string(get_request_var_request('tab'));
++	}
++
+ 	/* set the default settings category */
+ 	if (!isset($_GET["tab"])) {
+ 		/* there is no selected tab; select the first one */
diff -Nru cacti-0.8.8b+dfsg/debian/patches/series cacti-0.8.8b+dfsg/debian/patches/series
--- cacti-0.8.8b+dfsg/debian/patches/series	2014-08-18 17:12:52.000000000 +0200
+++ cacti-0.8.8b+dfsg/debian/patches/series	2015-06-27 21:31:29.000000000 +0200
@@ -20,3 +20,7 @@
 CVE-2014-5026_XSS_in_item_names.patch
 CVE-2014-5261_shell_metachar.patch
 CVE-2014-5262_SQL_injection.patch
+CVE-2015-2665_XSS_in_graphs.php.patch
+CVE-2015-4342_SQL_injection_in_cdef.php.patch
+CVE-2015-4454_SQL_injection_in_get_hash_graph_template.patch
+CVE-2015-XXXX_SQL_injection_in_tab.patch