Created attachment 257248 [details] Upgrade patch This version include the following security fixes: * security #GHSA-c5j8-jxj3-hh36: Authenticated RCE via multi-line SNMP responses * security #GHSA-f9c7-7rc3-574c: SQL Injection vulnerability when using tree rules through Automation API * security #GHSA-fh3x-69rr-qqpp: SQL Injection vulnerability when request automation devices * security #GHSA-fxrq-fr7h-9rqq: Arbitrary File Creation leading to RCE * security #GHSA-pv2c-97pp-vxwg: Local File Inclusion (LFI) Vulnerability via Poller Standard Error Log Path * security #GHSA-vj9g-p7f2-4wqj: SQL Injection vulnerability when view host template
Created attachment 257249 [details] Extended patch to fix plist
(In reply to Rodrigo Osorio from comment #1) Hi Rodrigo, Could you add an entry for security/vuxml?
Created attachment 257263 [details] Add security/vuxml entry Add security/vuxml entry for net-mgmt/cacti < 1.2.29
m.muenz@gmail.com, I'm awaiting for your approval to this PR
Looks good, thank you! TBH, my time is way to limited for QA. I'm fine with it if you want to take maintainership.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=3f7707eabeeb878a4a31c2abebd1b07fece25c50 commit 3f7707eabeeb878a4a31c2abebd1b07fece25c50 Author: Rodrigo Osorio <rodrigo@FreeBSD.org> AuthorDate: 2025-02-05 09:27:31 +0000 Commit: Rodrigo Osorio <rodrigo@FreeBSD.org> CommitDate: 2025-02-06 21:07:32 +0000 net-mgmt/cacti: update to 1.2.29 Changelog: https://github.com/Cacti/cacti/releases/tag/release%2F1.2.29 Security: CVE-2025-22604 / GHSA-c5j8-jxj3-hh36: Authenticated RCE via multi-line SNMP responses Security: CVE-2025-24368 / GHSA-f9c7-7rc3-574c: SQL Injection vulnerability when using tree rules through Automation API Security: CVE-2024-54145 / GHSA-fh3x-69rr-qqpp: SQL Injection vulnerability when request automation devices Security: CVE-2025-24367 / GHSA-fxrq-fr7h-9rqq: Arbitrary File Creation leading to RCE Security: CVE-2024-45598 / GHSA-pv2c-97pp-vxwg: Local File Inclusion (LFI) Vulnerability via Poller Standard Error Log Path Security: CVE-2024-54146 / GHSA-vj9g-p7f2-4wqj: SQL Injection vulnerability when view host template Per maintainer request take maintenership PR: 284583 Approved by: Michael Muenz <m.muenz@gmail.com> (maintainer) net-mgmt/cacti/Makefile | 4 ++-- net-mgmt/cacti/distinfo | 6 +++--- net-mgmt/cacti/pkg-plist | 8 ++++++-- 3 files changed, 11 insertions(+), 7 deletions(-)
A commit in branch 2025Q1 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=c98a12b83febe9a7914a94cc994f1717597d55df commit c98a12b83febe9a7914a94cc994f1717597d55df Author: Rodrigo Osorio <rodrigo@FreeBSD.org> AuthorDate: 2025-02-05 09:27:31 +0000 Commit: Rodrigo Osorio <rodrigo@FreeBSD.org> CommitDate: 2025-02-06 21:37:53 +0000 net-mgmt/cacti: update to 1.2.29 Changelog: https://github.com/Cacti/cacti/releases/tag/release%2F1.2.29 Security: CVE-2025-22604 / GHSA-c5j8-jxj3-hh36: Authenticated RCE via multi-line SNMP responses Security: CVE-2025-24368 / GHSA-f9c7-7rc3-574c: SQL Injection vulnerability when using tree rules through Automation API Security: CVE-2024-54145 / GHSA-fh3x-69rr-qqpp: SQL Injection vulnerability when request automation devices Security: CVE-2025-24367 / GHSA-fxrq-fr7h-9rqq: Arbitrary File Creation leading to RCE Security: CVE-2024-45598 / GHSA-pv2c-97pp-vxwg: Local File Inclusion (LFI) Vulnerability via Poller Standard Error Log Path Security: CVE-2024-54146 / GHSA-vj9g-p7f2-4wqj: SQL Injection vulnerability when view host template Per maintainer request take maintenership PR: 284583 Approved by: Michael Muenz <m.muenz@gmail.com> (maintainer) (cherry picked from commit 3f7707eabeeb878a4a31c2abebd1b07fece25c50) net-mgmt/cacti/Makefile | 4 ++-- net-mgmt/cacti/distinfo | 6 +++--- net-mgmt/cacti/pkg-plist | 8 ++++++-- 3 files changed, 11 insertions(+), 7 deletions(-)
Committed, thanks