* Security update
- CVE-2015-2665 Cross-site scripting (XSS) vulnerability in Cacti
before 0.8.8d allows remote attackers to inject arbitrary web script
or HTML via unspecified vectors.
- CVE-2015-4342 SQL Injection and Location header injection from cdef
id
- CVE-2015-4454 SQL injection vulnerability in the
get_hash_graph_template function in lib/functions.php in Cacti before
0.8.8d allows remote attackers to execute arbitrary SQL commands via
the graph_template_id parameter to graph_templates.php.
- Unassigned CVE SQL injection VN:JVN#78187936 / TN:JPCERT#98968540
-- Paul Gevers <email address hidden> Mon, 22 Jun 2015 20:55:59 +0200
cacti (0.8.8b+dfsg-8) unstable; urgency=high
* CVE-2014-5261
Unsufficient input sanitation leads to shell command injection
possibilities
* CVE-2014-5262
Incomplete and incorrect input parsing leads to SQL injection attack
scenarios
* Fix for CVE-2014-5043 was incomplete, improve patch
* Change CVE-2014-4002 patch to include upstream updated commits
-- Paul Gevers <email address hidden> Mon, 18 Aug 2014 19:57:43 +0200
cacti (0.8.8b+dfsg-7) unstable; urgency=medium
* Fix regression caused by fixing CVE-2014-4002 at least plugin autom8
was unusable (Closes: #755032)
* Security update
- CVE-2014-5025 Cross Site Scripting Vulnerability
- CVE-2014-5026 Cross Site Scripting Vulnerability
- CVE-2014-5043 Cross Site Scripting Vulnerability
More releases happened... list of open items (since 12.04):
cacti (0.8.8b+ dfsg-8+ deb8u1) jessie-security; urgency=high
* Security update hash_graph_ template function in lib/functions.php in Cacti before .php.
- CVE-2015-2665 Cross-site scripting (XSS) vulnerability in Cacti
before 0.8.8d allows remote attackers to inject arbitrary web script
or HTML via unspecified vectors.
- CVE-2015-4342 SQL Injection and Location header injection from cdef
id
- CVE-2015-4454 SQL injection vulnerability in the
get_
0.8.8d allows remote attackers to execute arbitrary SQL commands via
the graph_template_id parameter to graph_templates
- Unassigned CVE SQL injection VN:JVN#78187936 / TN:JPCERT#98968540
-- Paul Gevers <email address hidden> Mon, 22 Jun 2015 20:55:59 +0200
cacti (0.8.8b+dfsg-8) unstable; urgency=high
* CVE-2014-5261
Unsufficient input sanitation leads to shell command injection
possibilities
* CVE-2014-5262
Incomplete and incorrect input parsing leads to SQL injection attack
scenarios
* Fix for CVE-2014-5043 was incomplete, improve patch
* Change CVE-2014-4002 patch to include upstream updated commits
-- Paul Gevers <email address hidden> Mon, 18 Aug 2014 19:57:43 +0200
cacti (0.8.8b+dfsg-7) unstable; urgency=medium
* Fix regression caused by fixing CVE-2014-4002 at least plugin autom8
was unusable (Closes: #755032)
* Security update
- CVE-2014-5025 Cross Site Scripting Vulnerability
- CVE-2014-5026 Cross Site Scripting Vulnerability
- CVE-2014-5043 Cross Site Scripting Vulnerability
-- Paul Gevers <email address hidden> Thu, 24 Jul 2014 21:56:48 +0200
cacti (0.8.8b+dfsg-6) unstable; urgency=high
* Add alternative php5-mysql | php5-mysqlnd (Closes: #744067)
* Security update (Closes: #742768, #752573)
- CVE-2014-2327 Cross Site Request Forgery Vulnerability
- CVE-2014-4002 Cross-Site Scripting Vulnerability
-- Paul Gevers <email address hidden> Wed, 25 Jun 2014 22:33:53 +0200
cacti (0.8.8b+dfsg-5) unstable; urgency=high
* Fix postinst for lighttpd setups which fail on update due to enable- mod exiting with non-zero if config is already loaded
lighty-
(Closes: 743727)
-- Paul Gevers <email address hidden> Sun, 06 Apr 2014 19:59:12 +0200
cacti (0.8.8b+dfsg-4) unstable; urgency=high
* Security update (Closes: 743565)
- CVE-2014-2326 Cross-site scripting (XSS) vulnerability
- CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
- CVE-2014-2708 SQL injection
- CVE-2014-2709 Unspecified Remote Command Execution Vulnerability
* Bump standards (no changes needed)
* Fix VCS-Browser field
* Fix license paragraph of jstree (Thanks lintian)
-- Paul Gevers <email address hidden> Sat, 05 Apr 2014 13:03:22 +0200
cacti (0.8.8b+dfsg-3) unstable; urgency=low
* Fix Cross site scripting (upstream bug 2383)
CVE-2013-5588
* Fix SQL injection in host.php (upstream bug 2383)
CVE-2013-5589
* Fix upgrade script in cli directory for latest releases
* Automatically upgrade database during package update (prevents upstream
bug 2377)
* The code to enable lighttpd configuration from LP: #1132415 was broken
-- Paul Gevers <email address hidden> Tue, 27 Aug 2013 20:43:21 +0200