Bug 242834
| Summary: | net-mgmt/cacti: Update to 1.2.8 | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Michael Muenz <m.muenz> | ||||
| Component: | Individual Port(s) | Assignee: | Kai Knoblich <kai> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Many People | CC: | freebsd-ports, kai, tcberner | ||||
| Priority: | --- | Keywords: | security | ||||
| Version: | Latest | Flags: | bugzilla:
maintainer-feedback?
(freebsd-ports) kai: merge-quarterly+ |
||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| URL: | https://github.com/Cacti/cacti/releases/tag/release%2F1.2.8 | ||||||
| Attachments: |
|
||||||
Moin moin Could you also prepare the CVE entry for vuln.xml? Mfg Tobias Is this handled like a usual port update? I'm not really familiar with this.
Does this look sane:
<vuln vid="86224a04-26de-11ea-97f2-001a8c5c04b6">
<topic>cacti -- Missing sanitization checks while deserializating data</topic>
<affects>
<package>
<name>cacti</name>
<range><lt>1.2.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The cacti developers reports:</p>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17358">
<p>When deserializating data, ensure basic sanitization has been performed</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2019-17358</cvename>
<url>https://github.com/Cacti/cacti/releases/tag/release%2F1.2.8</url>
</references>
<dates>
<discovery>2019-12-07</discovery>
<entry>2019-12-25</entry>
</dates>
</vuln>
<vuln vid="bdb934af-26dd-11ea-97f2-001a8c5c04b6">
<topic>cacti -- Input variables are not properly checked</topic>
<affects>
<package>
<name>cacti</name>
<range><lt>1.2.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The cacti developers reports:</p>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17357">
<p>When viewing graphs, some input variables are not properly checked.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2019-17357</cvename>
<url>https://github.com/Cacti/cacti/releases/tag/release%2F1.2.8</url>
</references>
<dates>
<discovery>2019-12-07</discovery>
<entry>2019-12-25</entry>
</dates>
</vuln>
(In reply to Michael Muenz from comment #2) Thank you for the patch and the VuXML entry. The latter one looks ok for the first try but I would suggest to merge the two entries into a single entry. The recent entry of net/py-urllib3 might be a good example and it's easier to attach the updated VuXML entry as attachment. ;-) A commit references this bug: Author: kai Date: Mon Jan 6 17:27:48 UTC 2020 New revision: 522265 URL: https://svnweb.freebsd.org/changeset/ports/522265 Log: security/vuxml: Document net-mgmt/cacti issues PR: 242834 Submitted by: Michael Muenz <m.muenz@gmail.com> (based on) Security: CVE-2019-17357 CVE-2019-17358 Changes: head/security/vuxml/vuln.xml Comment on attachment 210177 [details]
1.2.8 update
^ Triage: Set approval on attached patch due maintainer's timeout.
A commit references this bug: Author: kai Date: Mon Jan 6 19:02:42 UTC 2020 New revision: 522267 URL: https://svnweb.freebsd.org/changeset/ports/522267 Log: net-mgmt/cacti: Update to 1.2.8 * Sort pkg-plist to make future patching/comparing easier. While I'm here: * Use ${COPYTREE_SHARE} to correctly install a whole set of files instead of using "cp -R". * Also remove a very outdated test was required when updating to the 0.8.7a release of net-mgmt/cacti. It was introduced +12 years ago in r203859 and is no longer required nowadays. Changelog: https://github.com/Cacti/cacti/releases/tag/release%2F1.2.8 PR: 242834 Submitted by: Michael Muenz <m.muenz@gmail.com> (based on) Approved by: maintainer timeout (14 days) MFH: 2020Q1 Security: 86224a04-26de-11ea-97f2-001a8c5c04b6 Changes: head/net-mgmt/cacti/Makefile head/net-mgmt/cacti/distinfo head/net-mgmt/cacti/pkg-plist (In reply to Michael Muenz from comment #0) Committed to the /head branch, once again thank you for the patch! I left out the changes for the various patches in files/* as they haven't changed and still apply without problems. Still waiting for approval from the ports-secteam to MFH'ing the changes to the 2020Q1 branch. A commit references this bug: Author: kai Date: Mon Jan 6 22:35:02 UTC 2020 New revision: 522286 URL: https://svnweb.freebsd.org/changeset/ports/522286 Log: MFH: r522267 net-mgmt/cacti: Update to 1.2.8 * Sort pkg-plist to make future patching/comparing easier. While I'm here: * Use ${COPYTREE_SHARE} to correctly install a whole set of files instead of using "cp -R". * Also remove a very outdated test was required when updating to the 0.8.7a release of net-mgmt/cacti. It was introduced +12 years ago in r203859 and is no longer required nowadays. Changelog: https://github.com/Cacti/cacti/releases/tag/release%2F1.2.8 PR: 242834 Submitted by: Michael Muenz <m.muenz@gmail.com> (based on) Approved by: maintainer timeout (14 days) Security: 86224a04-26de-11ea-97f2-001a8c5c04b6 Approved by: ports-secteam (joneum) Changes: _U branches/2020Q1/ branches/2020Q1/net-mgmt/cacti/Makefile branches/2020Q1/net-mgmt/cacti/distinfo branches/2020Q1/net-mgmt/cacti/pkg-plist Changes were also merged into the 2020Q1 branch, all done! |
Created attachment 210177 [details] 1.2.8 update Enclosed patch for latest 1.2.8. Please note, this release is security relevant, CVE!