openSUSE Security Update: Security update for cacti, cacti-spine ______________________________________________________________________________ Announcement ID: openSUSE-SU-2022:10170-1 Rating: moderate References: #1203952 Affected Products: SUSE Linux Enterprise High Performance Computing 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12-SP3 SUSE Linux Enterprise Server for SAP Applications 12-SP4 SUSE Linux Enterprise Server for SAP Applications 12-SP5 SUSE Package Hub for SUSE Linux Enterprise 12 openSUSE Backports SLE-15-SP3 openSUSE Backports SLE-15-SP4 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for cacti, cacti-spine fixes the following issues: cacti-spine 1.2.22, delivering a number of bug fixes: * When polling time is exceed, spine does not always exit as expected * Spine logging at `-V 5` includes an extra line feed * Incorrect SNMP responses can cause spine to crash * Properly handle devices that timeout responding to the Extended Uptime * MariaDB can cause spine to abort prematurely despite error handling * Spine should log the error time when exiting via signal cacti-spine 1.2.21: * Disable DES if Net-SNMP doesn't have it cacti 1.2.22, providing one security fix, a number of bug fixes and a collection of improvements: * When creating new graphs, cross site injection is possible (boo#1203952) * When creating user from template, multiple Domain FullName and Mail are not propagated * Nectar Aggregate 95th emailed report broken * Boost may not find archive tables correctly * Users may be unable to change their password when forced during a login * Net-SNMP Memory Graph Template has Wrong GPRINT * Search in tree view unusable on larger installations * Increased bulk insert size to avoid partial inserts and potential data loss. * Call to undefined function boost_debug in Cacti log * When no guest template is set, login cookies are not properly set * Later RRDtool releases do not need to check last_update time * Regex filters are not always long enough * Domains based LDAP and AD Fullname and Email not auto-populated * Cacti polling and boost report the wrong number of Data Sources when Devices are disabled * When editing Graph Template Items there are cases where VDEF's are hidden when they should be shown * Database SSL setting lacks default value * Update default path cacti under *BSD by xmacan * Web Basic authentication not creating template user * Unable to change the Heartbeat of a Data Source Profile * Tree Search Does Not Properly Search All Trees * When structured paths are setup, RRDfiles may not always be created when possible * When parsing the logs, caching would help speed up processing * Deprecation warnings when attempting real-time Graphs with PHP8.1 * Custom Timespan is lost when clicking other tree branches * Non device based Data Sources not being polled * When Resource XML file inproperly formatted, graph creation can fail with errors * Update code style to support PHP 8 requirements * None" shows all graphs * Realtime popup window experiences issues on some browsers * Auth settings do not always properly reflect the options selected by ddb4github * MySQL can cause cacti to become stalled due to locking issues * Boost process can get hung under rare conditions until the poller times out * Exporting graphs under PHP 8 can cause errors * Host table has wrong default for disabled and deleted columns * RRD storage paths do not scale properly * When importing, make it possible to only import certain components * Update change_device script to include new features by bmfmancini * Make help pages use latest online version wherever possible * Cacti should show PHP INI locations during install * Detect PHP INI values that are different in the INI vs running config * Added Gradient Color support for AREA charts by thurban * Update CDEF functions for RRDtool * When boost is running, it's not clear which processes are running and how long they have to complete cacti 1.2.21: * Add a CLI script to install/enable/disable/uninstall plugins * Add log message when purging DS stats and poller repopulate * A collection of bug fixes Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP4: zypper in -t patch openSUSE-2022-10170=1 - openSUSE Backports SLE-15-SP3: zypper in -t patch openSUSE-2022-10170=1 - SUSE Package Hub for SUSE Linux Enterprise 12: zypper in -t patch openSUSE-2022-10170=1 Package List: - openSUSE Backports SLE-15-SP4 (aarch64 i586 ppc64le s390x x86_64): cacti-spine-1.2.22-bp154.2.3.1 cacti-spine-debuginfo-1.2.22-bp154.2.3.1 cacti-spine-debugsource-1.2.22-bp154.2.3.1 - openSUSE Backports SLE-15-SP4 (noarch): cacti-1.2.22-bp154.2.3.1 - openSUSE Backports SLE-15-SP3 (aarch64 i586 ppc64le s390x x86_64): cacti-spine-1.2.22-bp153.2.12.1 - openSUSE Backports SLE-15-SP3 (noarch): cacti-1.2.22-bp153.2.12.1 - SUSE Package Hub for SUSE Linux Enterprise 12 (aarch64 ppc64le s390x x86_64): cacti-spine-1.2.22-23.1 - SUSE Package Hub for SUSE Linux Enterprise 12 (noarch): cacti-1.2.22-29.1 References: https://bugzilla.suse.com/1203952