openSUSE Security Update: Security update for cacti and cacti-spine ______________________________________________________________________________ Announcement ID: openSUSE-SU-2017:2765-1 Rating: moderate References: #1062554 Cross-References: CVE-2017-15194 Affected Products: openSUSE Leap 42.3 openSUSE Leap 42.2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for cacti and cacti-spine fixes the following issues: Build version 1.1.26 - issue#841: --input-fields variable not working with add_graphs.php cli - issue#986: Resolve minor appearance problem on Modern theme - issue#989: Resolve issue with data input method commands loosing spaces on import - issue#1000: add_graphs.php not recognizing input fields - issue#1003: Reversing resolution to Issue#995 due to adverse impact to polling times - issue#1008: Remove developer debug warning about thumbnail validation - issue#1009: Resolving minor issue with cmd_realtime.php and a changing hostname - issue#1010: CVE-2017-15194 - Path-Based Cross-Site Scripting (XSS) (bsc#1062554) - issue#1027: Confirm that the PHP date.timezone setting is properly set during install - issue: Fixed database session handling for PHP 7.1 - issue: Fixed some missing i18n - issue: Fixed typo's - feature: Updated Dutch translations - feature: Schema changes; Examined queries without key usage and added/changed some keys - feature: Some small improvements Build version 1.1.25 - issue#966: Email still using SMTP security even though set to none - issue#995: Redirecting exec_background() to dev null breaks some functions - issue#998: Allow removal of external data template and prevent their creation - issue: Remove spikes uses wrong variance value from WebGUI - issue: Changing filters on log page does not reset to first page - issue: Allow manual creation of external data sources once again - feature: Updated Dutch translations Build version 1.1.24 - issue#932: Zoom positioning breaks when you scroll the graph page - issue#970: Remote Data Collector Cache Synchronization missing plugin sub-directories - issue#980: Resolve issue where a new tree branches refreshs before you have a chance to name it - issue#982: Data Source Profile size information not showing properly - issue: Long sysDescriptions on automation page cause columns to be hidden - issue: Resolve visual issues in Classic theme - feature: Allow Resynchronization of Poller Resource Cache Build version 1.1.23 - issue#963: SQL Errors with snmpagent and MariaDB 10.2 - issue#964: SQL Mode optimization failing in 1.1.22 Build version 1.1.22 - issue#950: Automation - New graph rule looses name on change - issue#952: CSV Export not rendering chinese characters correctly (Second attempt) - issue#955: Validation error trying to view graph debug syntax - issue: MySQL/MariaDB database sql_mode NO_AUTO_VALUE_ON_ZERO corrupts Cacti database - issue: When creating a data source, the data source profile does not default to the system default - feature: Enhance table filters to support new Cycle plugin - feature: Updated Dutch Translations Build version 1.1.21 - issue#938: Problems upgrading to 1.1.20 with one table alter statement - issue#952: CSV Export not rendering chinese characters correctly - issue: Minor alignment issue on tables Build version 1.1.20 - issue#920: Issue with scrollbars after update to 1.1.19 related to #902 - issue#921: Tree Mode no longer expands to accomodate full tree item names - issue#922: When using LDAP domains some setings are not passed correctly to the Cacti LDAP library - issue#923: Warninga in cacti.log are displayed incorrectly - issue#926: Update Utilities page to provide more information on rebuilding poller cache - issue#927: Minor schema change to support XtraDB Cluster - issue#929: Overlapping frames on certain themes - issue#931: Aggregate graphs missing from list view - issue#933: Aggregate graphs page counter off - issue#935: Support utf8 printable in data query inserts - issue#936: TimeZone query failure undefined function - issue: Taking actions on users does not use callbacks - issue: Undefined constant in lib/snmp.php on RHEL7 - issue: Human readable socket errno's not defined - issue: Audit of ping methods tcp, udp, and icmp ping. IPv6 will still not work till php 5.5.4 Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.3: zypper in -t patch openSUSE-2017-1173=1 - openSUSE Leap 42.2: zypper in -t patch openSUSE-2017-1173=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Leap 42.3 (i586 x86_64): cacti-spine-1.1.26-16.1 cacti-spine-debuginfo-1.1.26-16.1 cacti-spine-debugsource-1.1.26-16.1 - openSUSE Leap 42.3 (noarch): cacti-1.1.26-25.1 cacti-doc-1.1.26-25.1 - openSUSE Leap 42.2 (i586 x86_64): cacti-spine-1.1.26-7.9.1 cacti-spine-debuginfo-1.1.26-7.9.1 cacti-spine-debugsource-1.1.26-7.9.1 - openSUSE Leap 42.2 (noarch): cacti-1.1.26-16.9.1 cacti-doc-1.1.26-16.9.1 References: https://www.suse.com/security/cve/CVE-2017-15194.html https://bugzilla.suse.com/1062554