Bug 245468
| Summary: | net-mgmt/cacti: Update to 1.2.11 | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Michael Muenz <m.muenz> | ||||
| Component: | Individual Port(s) | Assignee: | Ben Woods <woodsb02> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Many People | CC: | freebsd-ports, joneum, ports-secteam, woodsb02 | ||||
| Priority: | Normal | Keywords: | security | ||||
| Version: | Latest | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| URL: | https://github.com/Cacti/cacti/blob/release/1.2.11/CHANGELOG | ||||||
| Attachments: |
|
||||||
|
Description
Michael Muenz
2020-04-09 05:36:46 UTC
Thanks for the patch Michael, and for the approval Dan. I assume the security issues listed in the changelog do not need a VuXML entry because they have not been assigned CVEs and are just potential improvements as opposed to vulnerabilities? A commit references this bug: Author: woodsb02 Date: Fri Apr 10 03:15:19 UTC 2020 New revision: 531284 URL: https://svnweb.freebsd.org/changeset/ports/531284 Log: net-mgmt/cacti: Update to 1.2.11 Also change maintainer to submitter. Thanks for maintaining this port for the last 5 years Dan, and for stepping up to the plate Michael! Changes this release: https://github.com/Cacti/cacti/blob/release/1.2.11/CHANGELOG PR: 245468 Submitted by: Michael Muenz <m.muenz@gmail.com> Approved by: Daniel Austin <freebsd-ports@dan.me.uk> (maintainer) Changes: head/net-mgmt/cacti/Makefile head/net-mgmt/cacti/distinfo head/net-mgmt/cacti/pkg-plist Committed - thanks! @Ben CVE's are not a requirement or a determinant for whether security releases/vulnerabilities/fixes have VuXML entries added. Can we get an entry added marking cacti < 1.2.11 vulnerable and get ports r531284 merged to quarterly too please To clarify, I do not understand what the cacti developers mean when they tag something in their changelog as security#xxxx. Does it mean it is a security improvement, where it takes the code from one secure state, to an even more secure state? Or is it their way as recognizing a security vulnerability and associated fix? Let's have quick look: security#1566: Add SameSite support for cookies This is a security addition to provide more security to the product itself security#1985: Cookie should be properly verified against password Adds additional security security#3342: CSRF at Admin Email https://github.com/Cacti/cacti/issues/3342 a logged in used could change the admin e-mail address. security#3343: Improper Access Control on disabling a user. https://github.com/Cacti/cacti/issues/3343 Seems a user while logged in still can view data while it's disabled. security#3414: Update to jQuery 3.4.1 to resolve XSS issues with jQuery 3.3.1 https://github.com/Cacti/cacti/issues/3414 Update for dependent lib, if this would be relevat we vuln.xml would explode I have no idea if something is relevant, but if you mark something as critical I can provide a patch against vuln.xml A commit references this bug: Author: dbaio Date: Tue May 5 11:03:13 UTC 2020 New revision: 534065 URL: https://svnweb.freebsd.org/changeset/ports/534065 Log: MFH: r531284 r534006 net-mgmt/cacti: Update to 1.2.11 Also change maintainer to submitter. Thanks for maintaining this port for the last 5 years Dan, and for stepping up to the plate Michael! Changes this release: https://github.com/Cacti/cacti/blob/release/1.2.11/CHANGELOG PR: 245468 Submitted by: Michael Muenz <m.muenz@gmail.com> Approved by: Daniel Austin <freebsd-ports@dan.me.uk> (maintainer) net-mgmt/cacti: Update to 1.2.12 Changelog: https://github.com/Cacti/cacti/blob/release/1.2.12/CHANGELOG PR: 246161 Submitted by: Michael Muenz <m.muenz@gmail.com> (maintainer) X-MFH-with: 531284 Security: cd864f1a-8e5a-11ea-b5b4-641c67a117d8 Approved by: ports-secteam (joneum) Changes: _U branches/2020Q2/ branches/2020Q2/net-mgmt/cacti/Makefile branches/2020Q2/net-mgmt/cacti/distinfo branches/2020Q2/net-mgmt/cacti/pkg-plist |
