Summary: | net-mgmt/cacti: Multiple XSS and SQL injection vulnerabilities (CVE-2015-4634) | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Ports & Packages | Reporter: | Jason Unovitch <junovitch> | ||||||||||||||
Component: | Individual Port(s) | Assignee: | freebsd-ports-bugs (Nobody) <ports-bugs> | ||||||||||||||
Status: | Closed FIXED | ||||||||||||||||
Severity: | Affects Some People | CC: | feld, freebsd-ports, ports-secteam | ||||||||||||||
Priority: | --- | Keywords: | patch, security | ||||||||||||||
Version: | Latest | Flags: | freebsd-ports:
maintainer-feedback+
freebsd-ports: merge-quarterly? |
||||||||||||||
Hardware: | Any | ||||||||||||||||
OS: | Any | ||||||||||||||||
Bug Depends on: | 201747 | ||||||||||||||||
Bug Blocks: | |||||||||||||||||
Attachments: |
|
Description
Jason Unovitch
![]() ![]() Created attachment 158992 [details] security/vuxml for < cacti-0.8.8e Log: Document Cacti Multiple XSS and SQL injection vulnerabilities PR: 201702 Security: CVE-2015-4634 Security: 0bfda05f-2e6f-11e5-a4a5-002590263bf5 Validation: > make validate /bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy" >>> Validating... /usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml >>> Successful. Checking if tidy differs... ... seems okay Checking for space/tab... ... seems okay /usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml > env PKG_DBDIR=/usr/ports/security/vuxml pkg audit cacti-0.8.8d cacti-0.8.8d is vulnerable: cacti -- Multiple XSS and SQL injection vulnerabilities CVE: CVE-2015-4634 WWW: https://vuxml.FreeBSD.org/freebsd/0bfda05f-2e6f-11e5-a4a5-002590263bf5.html 1 problem(s) in the installed packages found. > env PKG_DBDIR=/usr/ports/security/vuxml pkg audit cacti-0.8.8e 0 problem(s) in the installed packages found. Note: Per http://seclists.org/oss-sec/2015/q3/150 it appears additional CVE's were requested for the individual SQL injection vulnerabilities. The entry may have to be revised pending the assignment. Created attachment 158993 [details]
security/vuxml for < cacti-0.8.8e
** fix formatting error **
Log:
Document Cacti Multiple XSS and SQL injection vulnerabilities
PR: 201702
Security: CVE-2015-4634
Security: 0bfda05f-2e6f-11e5-a4a5-002590263bf5
Created attachment 158998 [details] Update to 0.8.8e Patch to update to 0.8.8e to resolve security issues (and a few other bugs) Poudriere testport logs available at: http://poudriere.dan.tm/poudriere/data/latest-per-pkg/cacti/0.8.8e/ (9+10 i386+amd64) I've included a patch to upgrade to 0.8.8e and set the merge-quarterly request flag as it's a security related patch. Created attachment 159015 [details]
Update to 0.8.8f (security + bugfix release)
This updates to 0.8.8f which fixes security issues and a few bugs (including some introduced in 0.8.8e whilst trying to fix it!)
Poudriere testport logs for cacti 0.8.8f: http://poudriere.dan.tm/poudriere/data/latest-per-pkg/cacti/0.8.8f/ A commit references this bug: Author: feld Date: Mon Jul 20 14:35:40 UTC 2015 New revision: 392572 URL: https://svnweb.freebsd.org/changeset/ports/392572 Log: Document Cacti Multiple XSS and SQL injection vulnerabilities PR: 201702 Security: CVE-2015-4634 Security: 0bfda05f-2e6f-11e5-a4a5-002590263bf5 Changes: head/security/vuxml/vuln.xml A commit references this bug: Author: feld Date: Mon Jul 20 14:45:46 UTC 2015 New revision: 392573 URL: https://svnweb.freebsd.org/changeset/ports/392573 Log: Update to 0.8.8f to resolve security and bug issues PR: 201702 Security: CVE-2015-4634 Security: 0bfda05f-2e6f-11e5-a4a5-002590263bf5 Changes: head/net-mgmt/cacti/Makefile head/net-mgmt/cacti/distinfo head/net-mgmt/cacti/pkg-plist A commit references this bug: Author: feld Date: Mon Jul 20 14:47:40 UTC 2015 New revision: 392574 URL: https://svnweb.freebsd.org/changeset/ports/392574 Log: MFH: r392573 Update to 0.8.8f to resolve security and bug issues PR: 201702 Security: CVE-2015-4634 Security: 0bfda05f-2e6f-11e5-a4a5-002590263bf5 Approved by: ports-secteam (with hat) Changes: _U branches/2015Q3/ branches/2015Q3/net-mgmt/cacti/Makefile branches/2015Q3/net-mgmt/cacti/distinfo branches/2015Q3/net-mgmt/cacti/pkg-plist committed, thanks! Created attachment 159053 [details] cacti-0.8.8f_1.patch https://forums.freebsd.org/threads/problem-with-cacti-upgrading.52458/ Dan, The thread above was reported in the forums. Apparently there is a typo in the migration code in 0.8.8f and this is causing issues when starting the service after an update. Obviously that file doesn't exist. install/index.php @@ -468,7 +468,7 @@ if ($step == "4") { include ("0_8_8d_to_0_8_8e.php"); upgrade_to_0_8_8e(); }elseif ($cacti_versions[$i] == "0.8.8f") { - include ("0_8_8f_to_0_8_8f.php"); + include ("0_8_8e_to_0_8_8f.php"); upgrade_to_0_8_8f(); } } Mark, Can we get this applied and MFH'd? Upstream Bug Reference: http://bugs.cacti.net/view.php?id=2605 Reset to open based on runtime issues with 0.8.8f caused by a typo introduced upstream. Created attachment 159054 [details] cacti-0.8.8f_1.patch Disregard initial patch. The comment in the forum thread about fetching the file and not finding the bad code made me look a little closer. The SHA256 doesn't match ports anymore but the fact that I had the distfile and the fact that one of the fallback mirrors had the bad distfile hid this. According to http://www.cacti.net/downloads/ cacti-0.8.8f.tar.gz 20-Jul-2015 09:43 2.5M It looks like this was caught and fixed after the 19 July release and they re-rolled the distfile. I see 2ea92407c11bf13302558a5bc9e1f3a57bd14a1d9ded48c505ec495762f76738 as the hash. Patch attached fixes the issue by updating to the new 0.8.8f distfile and bumping PORTREVISION. Tagging depends on bug 201747. Dan it appears you caught the issue and have the same exact patch in that bug. Both can be closed when this is applied. Sorry for the excess noise. A commit references this bug: Author: feld Date: Wed Jul 22 02:51:51 UTC 2015 New revision: 392656 URL: https://svnweb.freebsd.org/changeset/ports/392656 Log: Upstream re-rolled distfile. Bump PORTREVISION to address it. PR: 201702 MFH: 2015Q3 Changes: head/net-mgmt/cacti/Makefile head/net-mgmt/cacti/distinfo A commit references this bug: Author: feld Date: Wed Jul 22 02:52:48 UTC 2015 New revision: 392657 URL: https://svnweb.freebsd.org/changeset/ports/392657 Log: MFH: r392656 Upstream re-rolled distfile. Bump PORTREVISION to address it. PR: 201702 Approved by: ports-secteam (with hat) Changes: _U branches/2015Q3/ branches/2015Q3/net-mgmt/cacti/Makefile branches/2015Q3/net-mgmt/cacti/distinfo I'll try to contact upstream to address this issue and hopefully prevent it from happening again in the future. Thanks for your patience and for reporting this so quickly. My apologies for the delay. Classify post-resolution |