Bug 200963

Summary: [MAINTAINER] net-mgmt/cacti: Update to 0.8.8d, Fix security vulnerabilities
Product: Ports & Packages Reporter: Daniel Austin <freebsd-ports>
Component: Individual Port(s)Assignee: Xin LI <delphij>
Status: Closed FIXED    
Severity: Affects Some People CC: delphij, junovitch, koobs, ports-secteam
Priority: --- Keywords: patch, patch-ready, security
Version: LatestFlags: freebsd-ports: maintainer-feedback+
delphij: merge-quarterly+
Hardware: Any   
OS: Any   
Attachments:
Description Flags
patch to update to latest
freebsd-ports: maintainer-approval+
10.1/amd64 poudriere log
none
10.1/i386 poudriere log
none
security/vuxml entry for cacti 0.8.8c and 0.8.8d multiple vulnerabilities none

Description Daniel Austin 2015-06-19 07:38:25 UTC
Created attachment 157879 [details]
patch to update to latest

Update net-mgmt/cacti to latest version which patches some security issues such as XSS bugs.

Poudriere testport logs at:

http://poudriere.dan.tm/poudriere/data/latest-per-pkg/cacti/0.8.8d/
Comment 1 Jason Unovitch freebsd_committer freebsd_triage 2015-06-20 02:54:16 UTC
Dan,
Can you grab the details of what security issues were fixed so it can be documented in vuxml?  If you need some assistance, post those details here and I'll help you turn it into a patch for vuxml.
Comment 2 Daniel Austin 2015-06-20 09:07:45 UTC
(In reply to Jason Unovitch from comment #1)

Here's the full list of changes:

http://www.cacti.net/release_notes_0_8_8d.php

And a summary of security related ones from the list:

Fixed SQL injection VN: JVN#78187936 / TN:JPCERT#98968540
[FG-VD-15-017] Cacti Cross-Site Scripting Vulnerability Notification
SQL Injection and Location header injection from cdef id CVE-2015-4342
SQL injection in graph templates
Comment 3 Kubilay Kocak freebsd_committer freebsd_triage 2015-06-21 06:41:59 UTC
Daniel, can you include your poudriere logs as an attachments please.
Comment 4 Daniel Austin 2015-06-21 09:35:04 UTC
Created attachment 157921 [details]
10.1/amd64 poudriere log
Comment 5 Daniel Austin 2015-06-21 09:35:31 UTC
Created attachment 157922 [details]
10.1/i386 poudriere log
Comment 6 Daniel Austin 2015-06-21 09:36:48 UTC
(In reply to Kubilay Kocak from comment #3)

I've attached the 10.1-RELEASE testport logs.

I've not included the 9.x and 8.x ones or i'd be spamming the mailing list like crazy.  They're located at the URL in my original post if they're needed.
I always run a testport against i386+amd64 for all current releases (so 6 sets at the moment!).
Comment 7 Jason Unovitch freebsd_committer freebsd_triage 2015-06-21 14:24:04 UTC
Created attachment 157927 [details]
security/vuxml entry for cacti 0.8.8c and 0.8.8d multiple vulnerabilities

(In reply to Daniel Austin from comment #2)

Thanks for the info.

As it turns out, we missed documenting any of the security advisories from 0.8.8c as the last vuxml was 0.8.8b.  Patch attached to document both 0.8.8c and 0.8.8d issues is ready to apply.

VALIDATION:

# make validate
/bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy"
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml
>>> Successful.
Checking if tidy differs...
... seems okay
Checking for space/tab...
... seems okay
/usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml


# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit cacti-0.8.8b
cacti-0.8.8b is vulnerable:
cacti -- Multiple XSS and SQL injection vulerabilities
CVE: CVE-2015-4342
WWW: https://vuxml.FreeBSD.org/freebsd/a3929112-181b-11e5-a1cf-002590263bf5.html

cacti-0.8.8b is vulnerable:
cacti -- multiple security vulnerabilities
CVE: CVE-2014-5026
CVE: CVE-2014-5025
CVE: CVE-2014-4002
CVE: CVE-2014-2328
CVE: CVE-2014-2327
CVE: CVE-2014-2326
CVE: CVE-2013-5589
CVE: CVE-2013-5588
WWW: https://vuxml.FreeBSD.org/freebsd/a0e74731-181b-11e5-a1cf-002590263bf5.html

1 problem(s) in the installed packages found.

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit cacti-0.8.8c
cacti-0.8.8c is vulnerable:
cacti -- Multiple XSS and SQL injection vulerabilities
CVE: CVE-2015-4342
WWW: https://vuxml.FreeBSD.org/freebsd/a3929112-181b-11e5-a1cf-002590263bf5.html

1 problem(s) in the installed packages found.

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit cacti-0.8.8d
0 problem(s) in the installed packages found.
Comment 8 Jason Unovitch freebsd_committer freebsd_triage 2015-06-22 04:43:29 UTC
I also validated with a testport run on all including CURRENT.  Successfully built on the following:
8.4-RELEASE-p28      amd64
8.4-RELEASE-p28      i386
9.3-RELEASE-p14      amd64
9.3-RELEASE-p14      i386
10.1-RELEASE-p10     amd64
10.1-RELEASE-p10     i386
11.0-CURRENT r284104 amd64
11.0-CURRENT r284104 i386

This looks ready to be committed.
Comment 9 commit-hook freebsd_committer freebsd_triage 2015-06-22 06:45:39 UTC
A commit references this bug:

Author: delphij
Date: Mon Jun 22 06:44:56 UTC 2015
New revision: 390273
URL: https://svnweb.freebsd.org/changeset/ports/390273

Log:
  Document cacti multiple vulnerabilities (affects < 0.8.8c) and
  multiple XSS/SQL injection vulnerabilities (affects < 0.8.8d).

  PR:		200963
  Submitted by:	Jason Unovitch

Changes:
  head/security/vuxml/vuln.xml
Comment 10 commit-hook freebsd_committer freebsd_triage 2015-06-22 06:52:42 UTC
A commit references this bug:

Author: delphij
Date: Mon Jun 22 06:52:09 UTC 2015
New revision: 390274
URL: https://svnweb.freebsd.org/changeset/ports/390274

Log:
  Update to 0.8.8d (security: fixes multiple XSS/SQL injection
  vulnerabilities)

  PR:		200963
  Submitted by:	maintainer (freebsd-ports@dan.me.uk)
  Security:	a3929112-181b-11e5-a1cf-002590263bf5
  MFH:		2015Q2

Changes:
  head/net-mgmt/cacti/Makefile
  head/net-mgmt/cacti/distinfo
  head/net-mgmt/cacti/pkg-plist
Comment 11 commit-hook freebsd_committer freebsd_triage 2015-06-22 06:54:44 UTC
A commit references this bug:

Author: delphij
Date: Mon Jun 22 06:54:23 UTC 2015
New revision: 390275
URL: https://svnweb.freebsd.org/changeset/ports/390275

Log:
  MFH: r390274

  Update to 0.8.8d (security: fixes multiple XSS/SQL injection
  vulnerabilities)

  PR:		200963
  Submitted by:	maintainer (freebsd-ports@dan.me.uk)
  Security:	a3929112-181b-11e5-a1cf-002590263bf5
  Approved by:	ports-secteam

Changes:
_U  branches/2015Q2/
  branches/2015Q2/net-mgmt/cacti/Makefile
  branches/2015Q2/net-mgmt/cacti/distinfo
  branches/2015Q2/net-mgmt/cacti/pkg-plist
Comment 12 Xin LI freebsd_committer freebsd_triage 2015-06-22 06:55:37 UTC
Committed, thanks!
Comment 13 Daniel Austin 2015-06-23 07:12:58 UTC
(In reply to Xin LI from comment #12)

Hi Xin,

The quarterly builds appear to be failing as the build machines are trying to apply a patch file that was deleted in r384620 - i'm not sure why it's still trying to apply it.

Im not sure who is best to report that too!


Thanks,

Daniel.
Comment 14 commit-hook freebsd_committer freebsd_triage 2015-06-23 18:07:56 UTC
A commit references this bug:

Author: delphij
Date: Tue Jun 23 18:07:02 UTC 2015
New revision: 390437
URL: https://svnweb.freebsd.org/changeset/ports/390437

Log:
  MFH: r384620 (partially).

  There were some patches that was changed and/or removed
  and this also applies for 0.8.8d.

  PR:		200963
  Approved by:	ports-secteam

Changes:
_U  branches/2015Q2/
  branches/2015Q2/net-mgmt/cacti/files/patch-include__global.php
  branches/2015Q2/net-mgmt/cacti/files/patch-include__global_settings.php
  branches/2015Q2/net-mgmt/cacti/files/patch-install__index.php
  branches/2015Q2/net-mgmt/cacti/files/patch-lib__rrd.php
  branches/2015Q2/net-mgmt/cacti/files/pkg-message.in
Comment 15 Xin LI freebsd_committer freebsd_triage 2015-06-23 18:08:55 UTC
(In reply to Daniel Austin from comment #13)
It was my fault.  Fixed in 390437.