- issue#6089: Unable to add new users
- issue#6090: When using Automation Rules, specifying graph criteria may cause issues
- issue#6099: When transferring a system from a backup if the poller has not run recently rrdtool issues are found
- issue#6172: When translating, quotes may cause incorrect text to appear
- issue#6173: When using Boost for the first time, warnings may appear
- issue#6183: When refreshing forms, items may be checked incorrectly by xmacan
OBS-URL: https://build.opensuse.org/package/show/server:monitoring/cacti?expand=0&rev=190
- Oct 9 2024 Changelog did not describe cactid_service.patch
- Feb 11 2025 Changelog mispelled cacti-config-dist.patch
- Removed obsolete cacti-cron.timer cacti-cron.service cacti-config.patch
- cacti 1.2.29
- security - GHSA-c5j8-jxj3-hh36 - Authenticated RCE via multi-line SNMP responses
- security - GHSA-f9c7-7rc3-574c - SQL Injection vulnerability when using tree rules through Automation API
- security - GHSA-fh3x-69rr-qqpp - SQL Injection vulnerability when request automation devices
- security - GHSA-fxrq-fr7h-9rqq - Arbitrary File Creation leading to RCE
- security - GHSA-pv2c-97pp-vxwg - Local File Inclusion (LFI) Vulnerability via Poller Standard Error Log Path
- security - GHSA-vj9g-P7F2-4wqj - SQL Injection vulnerability when view host template
- issue - 5843 - Temporary table names may incorrectly think they have a schema
- issue - 5847 - When using Preset Time to view graphs, it is using a fixed point rather than relative time
- issue - 5848 - Fix issue where RRA files are not automatically removed
- issue - 5856 - Fix invalid help link for Automation Networks
- issue - 5867 - Unable to disable a tree within the GUI
- issue - 5868 - When removing graphs, RRA files may be left behind
- issue - 5869 - Improve compatibility with ping under FreeBSD
- issue - 5870 - Improve compatibility wtih Slice RRD tool under PHP 8.x
- issue - 5874 - Allow IPv6 formats to use colons without port
- issue - 5884 - Update Fortigate, Aruba OSCX and Clearpass templates
- issue - 5927 - When a plugin is disabled, unable to use GUI to enable it again
- issue - 5932 - When upgrading, ensure that replication only runs as necessary
- issue - 5961 - Improve caching and syncing issues with replication
- issue - 5963 - Improve caching techniques for database calls
- issue - 5986 - Improve compatibility for Error constants under PHP 8.4
- issue - 5987 - When running the upgrade database script, cursor is left in the middle of the row
- issue - 6065 - Guest page does not automatically refresh
- issue - 6078 - When installing, conversion of tables may produce collation errors
- feature - 5921 - Add HPE Nimble/Alletra template
- feature - 5933 - When installing, only convert core cacti tables
- Updated patch for config.php for new name config.php.dist
- Add /srv/www directories to filelist [bsc#1231027]
- fix for cacti-cron.timer & cacti-cron.service failing after upgrade has already removed
- replace cacti-cron.timer & cacti-cron.service with cactid.service
to fix thold & other "sub poller" poller processes not running.
- cacti 1.2.28:
security #GHSA-49f2-hwx9-qffr: XSS vulnerability when creating external links with the consolenewsection parameter
security #GHSA-fgc6-g8gc-wcg5: XSS vulnerability when creating external links with the title parameter
security #GHSA-gxq4-mv8h-6qj4: RCE vulnerability can be executed via Log Poisoning
security #GHSA-wh9c-v56x-v77c: XSS vulnerability when creating external links with the fileurl parameter
issue #5636: When using LDAP authentication the first time, warnings may appear in logs
issue #5754: When installing, a replication loop for plugin_realms may occur
issue #5759: When installing, remote poller may attempt to sync with other pollers
issue #5768: When a Data Query has a space, indexes may not be properly escaped
issue #5771: Boost does not always order data source records properly
issue #5772: Add IP address to the login audit for successful logins by xmacan
issue #5773: Undefined variable error may sometimes occur when dealing with RRD output by MSS970
issue #5777: When export to CSV, only the first line of notes is included
issue #5780: When rendering forms, missing default value can cause errors
issue #5782: Allow hosted content to be executable for the links page
issue #5783: When closing database connections, some may linger incorrectly
issue #5785: When changing passwords, an infinite loop may occur by ddb4github
issue #5790: When using Cacti Daemon, a "Cron out of sync" message may be reported
issue #5791: Add ability to filter/sort users by group or last login time
issue #5792: When using List View, unable to add Graphs to a Report
issue #5797: When using SNMPv3, some devices may show polling issues
issue #5802: Limit table conversion to Cacti core tables
issue #5806: Fix issues with posix-based kills on Windows
issue #5813: When installing, password changes may fail on new installations
issue #5814: When using structured RRD folders, permission issues may be flagged incorrectly
issue #5823: When unable to locate a valid theme, new default will be Modern
issue #5824: Properly cache the data source information for dsstats processing
issue #5840: When reindexing, verify all fields may not work as intended
feature #5784: Add ability to log database connections/disconnections
feature #5796: Add Ping Method where connection refused assumes host is up
feature #5819: When displaying graphs, default end time does not show full 24 hour period
feature #5825: Add --id to remove_device.php
feature #5828: Add Location and Site to Graph List View
feature #5830: Add more verbose logging to Boost
feature: Update jQuery to 3.7.1
feature: Update jQueryUI to 1.14.0
feature: Update Purify.js to 3.1.6
feature: Update billboard.js to 3.13.0
feature: Improve the performance of the repopulation of the poller cache
- attempt to set permissions on several sub folders
to fix https://build.opensuse.org/package/show/openSUSE:Factory/cacti#comment-1466121
- Recent builds are being placed in /usr/share instead of existing /srv/www/cacti. This is an attempt to fix
OBS-URL: https://build.opensuse.org/package/show/server:monitoring/cacti?expand=0&rev=188
- security - GHSA-c5j8-jxj3-hh36 - Authenticated RCE via multi-line SNMP responses
- security - GHSA-f9c7-7rc3-574c - SQL Injection vulnerability when using tree rules through Automation API
- security - GHSA-fh3x-69rr-qqpp - SQL Injection vulnerability when request automation devices
- security - GHSA-fxrq-fr7h-9rqq - Arbitrary File Creation leading to RCE
- security - GHSA-pv2c-97pp-vxwg - Local File Inclusion (LFI) Vulnerability via Poller Standard Error Log Path
- security - GHSA-vj9g-P7F2-4wqj - SQL Injection vulnerability when view host template
- issue - 5843 - Temporary table names may incorrectly think they have a schema
- issue - 5847 - When using Preset Time to view graphs, it is using a fixed point rather than relative time
- issue - 5848 - Fix issue where RRA files are not automatically removed
- issue - 5856 - Fix invalid help link for Automation Networks
- issue - 5867 - Unable to disable a tree within the GUI
- issue - 5868 - When removing graphs, RRA files may be left behind
- issue - 5869 - Improve compatibility with ping under FreeBSD
- issue - 5870 - Improve compatibility wtih Slice RRD tool under PHP 8.x
- issue - 5874 - Allow IPv6 formats to use colons without port
- issue - 5884 - Update Fortigate, Aruba OSCX and Clearpass templates
- issue - 5927 - When a plugin is disabled, unable to use GUI to enable it again
- issue - 5932 - When upgrading, ensure that replication only runs as necessary
- issue - 5961 - Improve caching and syncing issues with replication
- issue - 5963 - Improve caching techniques for database calls
- issue - 5986 - Improve compatibility for Error constants under PHP 8.4
- issue - 5987 - When running the upgrade database script, cursor is left in the middle of the row
- issue - 6065 - Guest page does not automatically refresh
- issue - 6078 - When installing, conversion of tables may produce collation errors
- feature - 5921 - Add HPE Nimble/Alletra template
- feature - 5933 - When installing, only convert core cacti tables
- Updated patch for config.php for new name config.php.dist
- Add /srv/www directories to filelist [bsc#1231027]
- fix for cacti-cron.timer & cacti-cron.service failing after upgrade has already removed
- replace cacti-cron.timer & cacti-cron.service with cactid.service
to fix thold & other "sub poller" poller processes not running.
- cacti 1.2.28:
security #GHSA-49f2-hwx9-qffr: XSS vulnerability when creating external links with the consolenewsection parameter
security #GHSA-fgc6-g8gc-wcg5: XSS vulnerability when creating external links with the title parameter
security #GHSA-gxq4-mv8h-6qj4: RCE vulnerability can be executed via Log Poisoning
security #GHSA-wh9c-v56x-v77c: XSS vulnerability when creating external links with the fileurl parameter
issue #5636: When using LDAP authentication the first time, warnings may appear in logs
issue #5754: When installing, a replication loop for plugin_realms may occur
issue #5759: When installing, remote poller may attempt to sync with other pollers
issue #5768: When a Data Query has a space, indexes may not be properly escaped
issue #5771: Boost does not always order data source records properly
issue #5772: Add IP address to the login audit for successful logins by xmacan
issue #5773: Undefined variable error may sometimes occur when dealing with RRD output by MSS970
issue #5777: When export to CSV, only the first line of notes is included
issue #5780: When rendering forms, missing default value can cause errors
issue #5782: Allow hosted content to be executable for the links page
issue #5783: When closing database connections, some may linger incorrectly
issue #5785: When changing passwords, an infinite loop may occur by ddb4github
issue #5790: When using Cacti Daemon, a "Cron out of sync" message may be reported
issue #5791: Add ability to filter/sort users by group or last login time
issue #5792: When using List View, unable to add Graphs to a Report
issue #5797: When using SNMPv3, some devices may show polling issues
issue #5802: Limit table conversion to Cacti core tables
issue #5806: Fix issues with posix-based kills on Windows
issue #5813: When installing, password changes may fail on new installations
issue #5814: When using structured RRD folders, permission issues may be flagged incorrectly
issue #5823: When unable to locate a valid theme, new default will be Modern
issue #5824: Properly cache the data source information for dsstats processing
issue #5840: When reindexing, verify all fields may not work as intended
feature #5784: Add ability to log database connections/disconnections
feature #5796: Add Ping Method where connection refused assumes host is up
feature #5819: When displaying graphs, default end time does not show full 24 hour period
feature #5825: Add --id to remove_device.php
feature #5828: Add Location and Site to Graph List View
feature #5830: Add more verbose logging to Boost
feature: Update jQuery to 3.7.1
feature: Update jQueryUI to 1.14.0
feature: Update Purify.js to 3.1.6
feature: Update billboard.js to 3.13.0
feature: Improve the performance of the repopulation of the poller cache
- attempt to set permissions on several sub folders
to fix https://build.opensuse.org/package/show/openSUSE:Factory/cacti#comment-1466121
- Recent builds are being placed in /usr/share instead of existing /srv/www/cacti. This is an attempt to fix.
OBS-URL: https://build.opensuse.org/package/show/server:monitoring/cacti?expand=0&rev=184
cacti 1.2.27
* CVE-2024-34340: Authentication Bypass when using using older password hashes (boo#1224240)
* CVE-2024-25641: RCE vulnerability when importing packages (boo#1224229)
* CVE-2024-31459: RCE vulnerability when plugins include files (boo#1224238)
* CVE-2024-31460: SQL Injection vulnerability when using tree rules through Automation API (boo#1224239)
* CVE-2024-29894: XSS vulnerability when using JavaScript based messaging API (boo#1224231)
* CVE-2024-31458: SQL Injection vulnerability when using form templates (boo#1224241)
* CVE-2024-31444: XSS vulnerability when reading tree rules with Automation API (boo#1224236)
* CVE-2024-31443: XSS vulnerability when managing data queries (boo#1224235)
* CVE-2024-31445: SQL Injection vulnerability when retrieving graphs using Automation API (boo#1224237)
* CVE-2024-27082: XSS vulnerability when managing trees (boo#1224230)
OBS-URL: https://build.opensuse.org/request/show/1174071
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cacti?expand=0&rev=50
cacti 1.2.27
* CVE-2024-34340: Authentication Bypass when using using older password hashes (boo#1224240)
* CVE-2024-25641: RCE vulnerability when importing packages (boo#1224229)
* CVE-2024-31459: RCE vulnerability when plugins include files (boo#1224238)
* CVE-2024-31460: SQL Injection vulnerability when using tree rules through Automation API (boo#1224239)
* CVE-2024-29894: XSS vulnerability when using JavaScript based messaging API (boo#1224231)
* CVE-2024-31458: SQL Injection vulnerability when using form templates (boo#1224241)
* CVE-2024-31444: XSS vulnerability when reading tree rules with Automation API (boo#1224236)
* CVE-2024-31443: XSS vulnerability when managing data queries (boo#1224235)
* CVE-2024-31445: SQL Injection vulnerability when retrieving graphs using Automation API (boo#1224237)
* CVE-2024-27082: XSS vulnerability when managing trees (boo#1224230)
OBS-URL: https://build.opensuse.org/request/show/1174069
OBS-URL: https://build.opensuse.org/package/show/server:monitoring/cacti?expand=0&rev=182
- cacti 1.2.16:
* When generating a report, the Cascade to Branches function does not as expected
* When viewing graphs, automatic refresh so not always work as expected
* Realtime graph pop up counter bug
* Undefined variable errors may occur when creating a new datasource
* The cli-based installer does not exit with a non-zero exit code when error occurs
* When an export is complete, sometimes the progress bar remains
* When enabling many devices, a threshold can be reached causing a slowdown in the process
* When performing actions against Devices, replicated device information could sometimes be lost
* When using API to rename a tree node, backtrace may be incorrectly shown
* When searching, valid pages can sometimes be shown as empty by ddb4github
* When exporting data from graphs, not all data was properly included
* Graph Templates filter is not updated after new graph created by ddb4github
* Username and password on the login page is not visible in Classic theme
* Improve wording of concurrent process and thread settings
* Location filter should remove blank entries by ddb4github
* When syncing data collectors, a reindex event may be triggered unnecessarily
* Automation Networks allows discovery of invalid IP addresses
* When changing permissions of the current user, they don't take effect immediately
* When reindexing a device, an incorrect page was sometimes displayed
* When repairing database, audit_database.php does not add missing columns
* Log page should not be empty if no log info exists
* During upgrade, there are times when realms can be duplicated leading to SQL errors
* When using ping.php, UDP response times are not interpreted properly by hypnotoad
* Improve warning you get when attempting to view a log file you don't have access to
* When replicating files, scripts are not marked as executable
* When creating plugin tables, collation is not set properly
* Update c3.js to version 0.7.20
* Update Chart.js to version 2.9.4
* Update phpseclib to version 2.0.29
* Update PHPMailer to version 6.1.8
* Use LSB shebang notation for cli scripts
* Add support for cactid daemon based launcher
* Add ability to hide the Graph Drilldown icons by datatecuk
* Add hooks for plugins to show custom Graph Source and custom Template URL (List View)
OBS-URL: https://build.opensuse.org/request/show/852919
OBS-URL: https://build.opensuse.org/package/show/server:monitoring/cacti?expand=0&rev=153
- cacti 1.2.13:
* Query XSS vulnerabilities require vendor package update
(CVE-2020-11022 / CVE-2020-11023)
* Lack of escaping on some pages can lead to XSS exposure
* Update PHPMailer to 6.1.6 (CVE-2020-13625)
* SQL Injection vulnerability due to input validation failure when
editing colors (CVE-2020-14295, boo#1173090)
* Lack of escaping on template import can lead to XSS exposure
OBS-URL: https://build.opensuse.org/request/show/820849
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cacti?expand=0&rev=33
- switch from cron to systemd timers (boo#1115436):
+ cacti-cron.timer
+ cacti-cron.service
- introduce rpmlintrc for obvious false positives from rpmlint
+ cacti-rpmlintrc
- use fdupes to reduce amount of needed/wasted space
- re-introduce RPM Group to avoid huge rpmlint complains on 15.1
- remove .gitignore and .gitattributes files (not needed)
- avoid potential root escalation on systems with fs.protected_hardlinks=0
(boo#1154087): handle directory permissions in file section instead
of using chown during post installation
- rewrote apache configuration to get rid of .htaccess files and
explicitely disable directory permissions per default
(only allow a limited, well-known set of directories)
OBS-URL: https://build.opensuse.org/request/show/802716
OBS-URL: https://build.opensuse.org/package/show/server:monitoring/cacti?expand=0&rev=144
