Bug 209809 - net-mgmt/cacti: upgrade to 0.8.8h - fix sql vulns
Summary: net-mgmt/cacti: upgrade to 0.8.8h - fix sql vulns
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Kurt Jaeger
URL:
Keywords: patch, patch-ready, security
Depends on:
Blocks: 209022 209456
  Show dependency treegraph
 
Reported: 2016-05-28 13:00 UTC by Daniel Austin
Modified: 2016-06-06 18:29 UTC (History)
1 user (show)

See Also:
freebsd-ports: maintainer-feedback+
pi: merge-quarterly+

Attachments
update to 0.8.8h (3.92 KB, patch)
2016-05-28 13:00 UTC, Daniel Austin 		freebsd-ports: maintainer-approval+
Details | Diff
vuxml entry for cacti (1.33 KB, application/xml)
2016-05-28 19:45 UTC, Daniel Austin 		freebsd-ports: maintainer-approval+
Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Austin 2016-05-28 13:00:26 UTC 
Created attachment 170749 [details]
update to 0.8.8h

This is a security update for cacti to resolve SQL exploits.

Overview:
 * upgrade to 0.8.8h codebase from vendor
 * fix SQL vulnerabilities including CVE-2016-3659
 * fix USE_MYSQL -> USES:mysql
 * fix deprecated mysql php module requirement (use mysqli instead)
 * fix overwriting of failure/recovery dates after outages

Files added:
 files/patch-lib__functions.php

Files modified:
 Makefile
 distinfo
 pkg-plist
 files/patch-install__index.php


Poudriere testport logs:
https://poudriere.dan.tm/poudriere/data/latest-per-pkg/cacti/0.8.8h/


Please merge-quarterly due to SQL vulns patched.
Comment 1 Daniel Austin 2016-05-28 19:45:56 UTC 
Created attachment 170762 [details]
vuxml entry for cacti

sorry - missed the vuxml entry earlier
Comment 2 commit-hook freebsd_committer freebsd_triage 2016-05-28 20:10:14 UTC 
A commit references this bug:

Author: pi
Date: Sat May 28 20:09:26 UTC 2016
New revision: 416066
URL: https://svnweb.freebsd.org/changeset/ports/416066

Log:
  net-mgmt/cacti: 0.8.8g -> 0.8.8h

  This is a security update for cacti to resolve SQL exploits.
  - upgrade to 0.8.8h codebase from vendor
  - fix SQL vulnerabilities including CVE-2016-3659
  - fix USE_MYSQL -> USES:mysql
  - fix deprecated mysql php module requirement (use mysqli instead)
  - fix overwriting of failure/recovery dates after outages

  PR:		209809
  Submitted by:	Daniel Austin <freebsd-ports@dan.me.uk> (maintainer)
  Security:	CVE-2016-3659
  MFH:		2016Q2

Changes:
  head/net-mgmt/cacti/Makefile
  head/net-mgmt/cacti/distinfo
  head/net-mgmt/cacti/files/patch-install__index.php
  head/net-mgmt/cacti/files/patch-lib__functions.php
  head/net-mgmt/cacti/pkg-plist
Comment 3 commit-hook freebsd_committer freebsd_triage 2016-05-29 19:01:29 UTC 
A commit references this bug:

Author: pi
Date: Sun May 29 19:01:24 UTC 2016
New revision: 416120
URL: https://svnweb.freebsd.org/changeset/ports/416120

Log:
  Document security issues fixed in cacti 0.8.8h

  PR:		209809
  Reported by:	Daniel Austin <freebsd-ports@dan.me.uk>
  Security:	CVE-2016-3659
  Security:	https://vuxml.FreeBSD.org/freebsd/6167b341-250c-11e6-a6fb-003048f2e514.html

Changes:
  head/security/vuxml/vuln.xml
Comment 4 commit-hook freebsd_committer freebsd_triage 2016-05-29 19:12:31 UTC 
A commit references this bug:

Author: pi
Date: Sun May 29 19:12:22 UTC 2016
New revision: 416121
URL: https://svnweb.freebsd.org/changeset/ports/416121

Log:
  MFH: r416066

  net-mgmt/cacti: 0.8.8g -> 0.8.8h

  This is a security update for cacti to resolve SQL exploits.
  - upgrade to 0.8.8h codebase from vendor
  - fix SQL vulnerabilities including CVE-2016-3659
  - fix USE_MYSQL -> USES:mysql
  - fix deprecated mysql php module requirement (use mysqli instead)
  - fix overwriting of failure/recovery dates after outages

  PR:		209809
  Submitted by:	Daniel Austin <freebsd-ports@dan.me.uk> (maintainer)
  Security:	CVE-2016-3659
  Approved by:	ports-secteam (junovitch)

Changes:
_U  branches/2016Q2/
  branches/2016Q2/net-mgmt/cacti/Makefile
  branches/2016Q2/net-mgmt/cacti/distinfo
  branches/2016Q2/net-mgmt/cacti/files/patch-install__index.php
  branches/2016Q2/net-mgmt/cacti/files/patch-lib__functions.php
  branches/2016Q2/net-mgmt/cacti/pkg-plist
Comment 5 Kurt Jaeger freebsd_committer freebsd_triage 2016-05-29 19:13:45 UTC 
MFH done, vuxml done, thanks very much!
Comment 6 commit-hook freebsd_committer freebsd_triage 2016-05-31 16:13:47 UTC 
A commit references this bug:

Author: pi
Date: Tue May 31 16:12:59 UTC 2016
New revision: 416207
URL: https://svnweb.freebsd.org/changeset/ports/416207

Log:
  net-mgmt/cacti: fix INDEX in quarterly branch

  - no USES=mysql allowed in the quarterly branch

  PR:		209809
  Submitted by:	antoine
  Approved by:	ports-secteam (feld)

Changes:
  branches/2016Q2/net-mgmt/cacti/Makefile
Comment 7 commit-hook freebsd_committer freebsd_triage 2016-06-06 18:29:25 UTC 
A commit references this bug:

Author: pi
Date: Mon Jun  6 18:29:15 UTC 2016
New revision: 416481
URL: https://svnweb.freebsd.org/changeset/ports/416481

Log:
  net-mgmt/cacti: fix version number in Makefile

  PR:		209809
  Submitted by:	Daniel Austin <freebsd-ports@dan.me.uk> (maintainer)
  Approved by:	ports-secteam (junovitch)
  MFH:		2016Q2

Changes:
  branches/2016Q2/net-mgmt/cacti/Makefile