Created attachment 213207 [details] Cacti 1.2.11 - Update to latest version - Switched maintainer as discussed here: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=245198#c4 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=240999#c2
Thanks for the patch Michael, and for the approval Dan. I assume the security issues listed in the changelog do not need a VuXML entry because they have not been assigned CVEs and are just potential improvements as opposed to vulnerabilities?
A commit references this bug: Author: woodsb02 Date: Fri Apr 10 03:15:19 UTC 2020 New revision: 531284 URL: https://svnweb.freebsd.org/changeset/ports/531284 Log: net-mgmt/cacti: Update to 1.2.11 Also change maintainer to submitter. Thanks for maintaining this port for the last 5 years Dan, and for stepping up to the plate Michael! Changes this release: https://github.com/Cacti/cacti/blob/release/1.2.11/CHANGELOG PR: 245468 Submitted by: Michael Muenz <m.muenz@gmail.com> Approved by: Daniel Austin <freebsd-ports@dan.me.uk> (maintainer) Changes: head/net-mgmt/cacti/Makefile head/net-mgmt/cacti/distinfo head/net-mgmt/cacti/pkg-plist
Committed - thanks!
@Ben CVE's are not a requirement or a determinant for whether security releases/vulnerabilities/fixes have VuXML entries added. Can we get an entry added marking cacti < 1.2.11 vulnerable and get ports r531284 merged to quarterly too please
To clarify, I do not understand what the cacti developers mean when they tag something in their changelog as security#xxxx. Does it mean it is a security improvement, where it takes the code from one secure state, to an even more secure state? Or is it their way as recognizing a security vulnerability and associated fix?
Let's have quick look: security#1566: Add SameSite support for cookies This is a security addition to provide more security to the product itself security#1985: Cookie should be properly verified against password Adds additional security security#3342: CSRF at Admin Email https://github.com/Cacti/cacti/issues/3342 a logged in used could change the admin e-mail address. security#3343: Improper Access Control on disabling a user. https://github.com/Cacti/cacti/issues/3343 Seems a user while logged in still can view data while it's disabled. security#3414: Update to jQuery 3.4.1 to resolve XSS issues with jQuery 3.3.1 https://github.com/Cacti/cacti/issues/3414 Update for dependent lib, if this would be relevat we vuln.xml would explode I have no idea if something is relevant, but if you mark something as critical I can provide a patch against vuln.xml
A commit references this bug: Author: dbaio Date: Tue May 5 11:03:13 UTC 2020 New revision: 534065 URL: https://svnweb.freebsd.org/changeset/ports/534065 Log: MFH: r531284 r534006 net-mgmt/cacti: Update to 1.2.11 Also change maintainer to submitter. Thanks for maintaining this port for the last 5 years Dan, and for stepping up to the plate Michael! Changes this release: https://github.com/Cacti/cacti/blob/release/1.2.11/CHANGELOG PR: 245468 Submitted by: Michael Muenz <m.muenz@gmail.com> Approved by: Daniel Austin <freebsd-ports@dan.me.uk> (maintainer) net-mgmt/cacti: Update to 1.2.12 Changelog: https://github.com/Cacti/cacti/blob/release/1.2.12/CHANGELOG PR: 246161 Submitted by: Michael Muenz <m.muenz@gmail.com> (maintainer) X-MFH-with: 531284 Security: cd864f1a-8e5a-11ea-b5b4-641c67a117d8 Approved by: ports-secteam (joneum) Changes: _U branches/2020Q2/ branches/2020Q2/net-mgmt/cacti/Makefile branches/2020Q2/net-mgmt/cacti/distinfo branches/2020Q2/net-mgmt/cacti/pkg-plist