Summary: | net-mgmt/cacti: Update to 1.2.8 | ||||||
---|---|---|---|---|---|---|---|
Product: | Ports & Packages | Reporter: | Michael Muenz <m.muenz> | ||||
Component: | Individual Port(s) | Assignee: | Kai Knoblich <kai> | ||||
Status: | Closed FIXED | ||||||
Severity: | Affects Many People | CC: | freebsd-ports, kai, tcberner | ||||
Priority: | --- | Keywords: | security | ||||
Version: | Latest | Flags: | bugzilla:
maintainer-feedback?
(freebsd-ports) kai: merge-quarterly+ |
||||
Hardware: | Any | ||||||
OS: | Any | ||||||
URL: | https://github.com/Cacti/cacti/releases/tag/release%2F1.2.8 | ||||||
Attachments: |
|
Moin moin Could you also prepare the CVE entry for vuln.xml? Mfg Tobias Is this handled like a usual port update? I'm not really familiar with this. Does this look sane: <vuln vid="86224a04-26de-11ea-97f2-001a8c5c04b6"> <topic>cacti -- Missing sanitization checks while deserializating data</topic> <affects> <package> <name>cacti</name> <range><lt>1.2.8</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>The cacti developers reports:</p> <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17358"> <p>When deserializating data, ensure basic sanitization has been performed</p> </blockquote> </body> </description> <references> <cvename>CVE-2019-17358</cvename> <url>https://github.com/Cacti/cacti/releases/tag/release%2F1.2.8</url> </references> <dates> <discovery>2019-12-07</discovery> <entry>2019-12-25</entry> </dates> </vuln> <vuln vid="bdb934af-26dd-11ea-97f2-001a8c5c04b6"> <topic>cacti -- Input variables are not properly checked</topic> <affects> <package> <name>cacti</name> <range><lt>1.2.8</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>The cacti developers reports:</p> <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17357"> <p>When viewing graphs, some input variables are not properly checked.</p> </blockquote> </body> </description> <references> <cvename>CVE-2019-17357</cvename> <url>https://github.com/Cacti/cacti/releases/tag/release%2F1.2.8</url> </references> <dates> <discovery>2019-12-07</discovery> <entry>2019-12-25</entry> </dates> </vuln> (In reply to Michael Muenz from comment #2) Thank you for the patch and the VuXML entry. The latter one looks ok for the first try but I would suggest to merge the two entries into a single entry. The recent entry of net/py-urllib3 might be a good example and it's easier to attach the updated VuXML entry as attachment. ;-) A commit references this bug: Author: kai Date: Mon Jan 6 17:27:48 UTC 2020 New revision: 522265 URL: https://svnweb.freebsd.org/changeset/ports/522265 Log: security/vuxml: Document net-mgmt/cacti issues PR: 242834 Submitted by: Michael Muenz <m.muenz@gmail.com> (based on) Security: CVE-2019-17357 CVE-2019-17358 Changes: head/security/vuxml/vuln.xml Comment on attachment 210177 [details]
1.2.8 update
^ Triage: Set approval on attached patch due maintainer's timeout.
A commit references this bug: Author: kai Date: Mon Jan 6 19:02:42 UTC 2020 New revision: 522267 URL: https://svnweb.freebsd.org/changeset/ports/522267 Log: net-mgmt/cacti: Update to 1.2.8 * Sort pkg-plist to make future patching/comparing easier. While I'm here: * Use ${COPYTREE_SHARE} to correctly install a whole set of files instead of using "cp -R". * Also remove a very outdated test was required when updating to the 0.8.7a release of net-mgmt/cacti. It was introduced +12 years ago in r203859 and is no longer required nowadays. Changelog: https://github.com/Cacti/cacti/releases/tag/release%2F1.2.8 PR: 242834 Submitted by: Michael Muenz <m.muenz@gmail.com> (based on) Approved by: maintainer timeout (14 days) MFH: 2020Q1 Security: 86224a04-26de-11ea-97f2-001a8c5c04b6 Changes: head/net-mgmt/cacti/Makefile head/net-mgmt/cacti/distinfo head/net-mgmt/cacti/pkg-plist (In reply to Michael Muenz from comment #0) Committed to the /head branch, once again thank you for the patch! I left out the changes for the various patches in files/* as they haven't changed and still apply without problems. Still waiting for approval from the ports-secteam to MFH'ing the changes to the 2020Q1 branch. A commit references this bug: Author: kai Date: Mon Jan 6 22:35:02 UTC 2020 New revision: 522286 URL: https://svnweb.freebsd.org/changeset/ports/522286 Log: MFH: r522267 net-mgmt/cacti: Update to 1.2.8 * Sort pkg-plist to make future patching/comparing easier. While I'm here: * Use ${COPYTREE_SHARE} to correctly install a whole set of files instead of using "cp -R". * Also remove a very outdated test was required when updating to the 0.8.7a release of net-mgmt/cacti. It was introduced +12 years ago in r203859 and is no longer required nowadays. Changelog: https://github.com/Cacti/cacti/releases/tag/release%2F1.2.8 PR: 242834 Submitted by: Michael Muenz <m.muenz@gmail.com> (based on) Approved by: maintainer timeout (14 days) Security: 86224a04-26de-11ea-97f2-001a8c5c04b6 Approved by: ports-secteam (joneum) Changes: _U branches/2020Q1/ branches/2020Q1/net-mgmt/cacti/Makefile branches/2020Q1/net-mgmt/cacti/distinfo branches/2020Q1/net-mgmt/cacti/pkg-plist Changes were also merged into the 2020Q1 branch, all done! |
Created attachment 210177 [details] 1.2.8 update Enclosed patch for latest 1.2.8. Please note, this release is security relevant, CVE!