openSUSE Security Update: Security update for cacti ______________________________________________________________________________ Announcement ID: openSUSE-SU-2015:0479-1 Rating: moderate References: #920399 Cross-References: CVE-2014-2327 CVE-2014-4002 CVE-2014-5025 CVE-2014-5026 Affected Products: openSUSE 13.2 openSUSE 13.1 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: cacti was updated to version 0.8.8c [boo#920399] This update fixes four vulnerabilities and adds some compatible features. - Security fixes not previously patched: - CVE-2014-2326 - XSS issue via CDEF editing - CVE-2014-2327 - Cross-site request forgery (CSRF) vulnerability - CVE-2014-2328 - Remote Command Execution Vulnerability in graph export - CVE-2014-4002 - XSS issues in multiple files - CVE-2014-5025 - XSS issue via data source editing - CVE-2014-5026 - XSS issues in multiple files - Security fixes now upstream: - CVE-2013-5588 - XSS issue via installer or device editing - CVE-2013-5589 - SQL injection vulnerability in device editing New features: - New graph tree view - Updated graph list and graph preview - Refactor graph tree view to remove GPL incompatible code - Updated command line database upgrade utility - Graph zooming now from everywhere Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.2: zypper in -t patch openSUSE-2015-221=1 - openSUSE 13.1: zypper in -t patch openSUSE-2015-221=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.2 (noarch): cacti-0.8.8c-4.4.1 - openSUSE 13.1 (noarch): cacti-0.8.8c-8.1 References: http://support.novell.com/security/cve/CVE-2014-2327.html http://support.novell.com/security/cve/CVE-2014-4002.html http://support.novell.com/security/cve/CVE-2014-5025.html http://support.novell.com/security/cve/CVE-2014-5026.html https://bugzilla.suse.com/920399