openSUSE Security Update: Security update for cacti, cacti-spine ______________________________________________________________________________ Announcement ID: openSUSE-SU-2024:0274-1 Rating: important References: #1224229 #1224230 #1224231 #1224235 #1224236 #1224237 #1224238 #1224239 #1224240 #1224241 Cross-References: CVE-2024-25641 CVE-2024-27082 CVE-2024-29894 CVE-2024-31443 CVE-2024-31444 CVE-2024-31445 CVE-2024-31458 CVE-2024-31459 CVE-2024-31460 CVE-2024-34340 Affected Products: SUSE Linux Enterprise High Performance Computing 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12-SP3 SUSE Linux Enterprise Server for SAP Applications 12-SP4 SUSE Linux Enterprise Server for SAP Applications 12-SP5 SUSE Package Hub for SUSE Linux Enterprise 12 openSUSE Backports SLE-15-SP5 ______________________________________________________________________________ An update that fixes 10 vulnerabilities is now available. Description: This update for cacti, cacti-spine fixes the following issues: - cacti 1.2.27: * CVE-2024-34340: Authentication Bypass when using using older password hashes (boo#1224240) * CVE-2024-25641: RCE vulnerability when importing packages (boo#1224229) * CVE-2024-31459: RCE vulnerability when plugins include files (boo#1224238) * CVE-2024-31460: SQL Injection vulnerability when using tree rules through Automation API (boo#1224239) * CVE-2024-29894: XSS vulnerability when using JavaScript based messaging API (boo#1224231) * CVE-2024-31458: SQL Injection vulnerability when using form templates (boo#1224241) * CVE-2024-31444: XSS vulnerability when reading tree rules with Automation API (boo#1224236) * CVE-2024-31443: XSS vulnerability when managing data queries (boo#1224235) * CVE-2024-31445: SQL Injection vulnerability when retrieving graphs using Automation API (boo#1224237) * CVE-2024-27082: XSS vulnerability when managing trees (boo#1224230) * Improve PHP 8.3 support * When importing packages via command line, data source profile could not be selected * When changing password, returning to previous page does not always work * When using LDAP authentication the first time, warnings may appear in logs * When editing/viewing devices, add IPv6 info to hostname tooltip * Improve speed of polling when Boost is enabled * Improve support for Half-Hour time zones * When user session not found, device lists can be incorrectly returned * On import, legacy templates may generate warnings * Improve support for alternate locations of Ping * Improve PHP 8.1 support for Installer * Fix issues with number formatting * Improve PHP 8.1 support when SpikeKill is run first time * Improve PHP 8.1 support for SpikeKill * When using Chinese to search for graphics, garbled characters appear. * When importing templates, preview mode will not always load * When remote poller is installed, MySQL TimeZone DB checks are not performed * When Remote Poller installation completes, no finish button is shown * Unauthorized agents should be recorded into logs * Poller cache may not always update if hostname changes * When using CMD poller, Failure and Recovery dates may have incorrect values * Saving a Tree can cause the tree to become unpublished * Web Basic Authentication does not record user logins * When using Accent-based languages, translations may not work properly * Fix automation expressions for device rules * Improve PHP 8.1 Support during fresh install with boost * Add a device "enabled/disabled" indicator next to the graphs * Notify the admin periodically when a remote data collector goes into heartbeat status * Add template for Aruba Clearpass * Add fliter/sort of Device Templates by Graph Templates - cacti-spine 1.2.27: * Restore AES Support Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP5: zypper in -t patch openSUSE-2024-274=1 - SUSE Package Hub for SUSE Linux Enterprise 12: zypper in -t patch openSUSE-2024-274=1 Package List: - openSUSE Backports SLE-15-SP5 (aarch64 i586 ppc64le s390x x86_64): cacti-spine-1.2.27-bp155.2.9.1 - openSUSE Backports SLE-15-SP5 (noarch): cacti-1.2.27-bp155.2.9.1 - SUSE Package Hub for SUSE Linux Enterprise 12 (aarch64 ppc64le s390x x86_64): cacti-spine-1.2.27-35.1 - SUSE Package Hub for SUSE Linux Enterprise 12 (noarch): cacti-1.2.27-41.1 References: https://www.suse.com/security/cve/CVE-2024-25641.html https://www.suse.com/security/cve/CVE-2024-27082.html https://www.suse.com/security/cve/CVE-2024-29894.html https://www.suse.com/security/cve/CVE-2024-31443.html https://www.suse.com/security/cve/CVE-2024-31444.html https://www.suse.com/security/cve/CVE-2024-31445.html https://www.suse.com/security/cve/CVE-2024-31458.html https://www.suse.com/security/cve/CVE-2024-31459.html https://www.suse.com/security/cve/CVE-2024-31460.html https://www.suse.com/security/cve/CVE-2024-34340.html https://bugzilla.suse.com/1224229 https://bugzilla.suse.com/1224230 https://bugzilla.suse.com/1224231 https://bugzilla.suse.com/1224235 https://bugzilla.suse.com/1224236 https://bugzilla.suse.com/1224237 https://bugzilla.suse.com/1224238 https://bugzilla.suse.com/1224239 https://bugzilla.suse.com/1224240 https://bugzilla.suse.com/1224241