Created attachment 157879 [details] patch to update to latest Update net-mgmt/cacti to latest version which patches some security issues such as XSS bugs. Poudriere testport logs at: http://poudriere.dan.tm/poudriere/data/latest-per-pkg/cacti/0.8.8d/
Dan, Can you grab the details of what security issues were fixed so it can be documented in vuxml? If you need some assistance, post those details here and I'll help you turn it into a patch for vuxml.
(In reply to Jason Unovitch from comment #1) Here's the full list of changes: http://www.cacti.net/release_notes_0_8_8d.php And a summary of security related ones from the list: Fixed SQL injection VN: JVN#78187936 / TN:JPCERT#98968540 [FG-VD-15-017] Cacti Cross-Site Scripting Vulnerability Notification SQL Injection and Location header injection from cdef id CVE-2015-4342 SQL injection in graph templates
Daniel, can you include your poudriere logs as an attachments please.
Created attachment 157921 [details] 10.1/amd64 poudriere log
Created attachment 157922 [details] 10.1/i386 poudriere log
(In reply to Kubilay Kocak from comment #3) I've attached the 10.1-RELEASE testport logs. I've not included the 9.x and 8.x ones or i'd be spamming the mailing list like crazy. They're located at the URL in my original post if they're needed. I always run a testport against i386+amd64 for all current releases (so 6 sets at the moment!).
Created attachment 157927 [details] security/vuxml entry for cacti 0.8.8c and 0.8.8d multiple vulnerabilities (In reply to Daniel Austin from comment #2) Thanks for the info. As it turns out, we missed documenting any of the security advisories from 0.8.8c as the last vuxml was 0.8.8b. Patch attached to document both 0.8.8c and 0.8.8d issues is ready to apply. VALIDATION: # make validate /bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy" >>> Validating... /usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml >>> Successful. Checking if tidy differs... ... seems okay Checking for space/tab... ... seems okay /usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml # env PKG_DBDIR=/usr/ports/security/vuxml pkg audit cacti-0.8.8b cacti-0.8.8b is vulnerable: cacti -- Multiple XSS and SQL injection vulerabilities CVE: CVE-2015-4342 WWW: https://vuxml.FreeBSD.org/freebsd/a3929112-181b-11e5-a1cf-002590263bf5.html cacti-0.8.8b is vulnerable: cacti -- multiple security vulnerabilities CVE: CVE-2014-5026 CVE: CVE-2014-5025 CVE: CVE-2014-4002 CVE: CVE-2014-2328 CVE: CVE-2014-2327 CVE: CVE-2014-2326 CVE: CVE-2013-5589 CVE: CVE-2013-5588 WWW: https://vuxml.FreeBSD.org/freebsd/a0e74731-181b-11e5-a1cf-002590263bf5.html 1 problem(s) in the installed packages found. # env PKG_DBDIR=/usr/ports/security/vuxml pkg audit cacti-0.8.8c cacti-0.8.8c is vulnerable: cacti -- Multiple XSS and SQL injection vulerabilities CVE: CVE-2015-4342 WWW: https://vuxml.FreeBSD.org/freebsd/a3929112-181b-11e5-a1cf-002590263bf5.html 1 problem(s) in the installed packages found. # env PKG_DBDIR=/usr/ports/security/vuxml pkg audit cacti-0.8.8d 0 problem(s) in the installed packages found.
I also validated with a testport run on all including CURRENT. Successfully built on the following: 8.4-RELEASE-p28 amd64 8.4-RELEASE-p28 i386 9.3-RELEASE-p14 amd64 9.3-RELEASE-p14 i386 10.1-RELEASE-p10 amd64 10.1-RELEASE-p10 i386 11.0-CURRENT r284104 amd64 11.0-CURRENT r284104 i386 This looks ready to be committed.
A commit references this bug: Author: delphij Date: Mon Jun 22 06:44:56 UTC 2015 New revision: 390273 URL: https://svnweb.freebsd.org/changeset/ports/390273 Log: Document cacti multiple vulnerabilities (affects < 0.8.8c) and multiple XSS/SQL injection vulnerabilities (affects < 0.8.8d). PR: 200963 Submitted by: Jason Unovitch Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: delphij Date: Mon Jun 22 06:52:09 UTC 2015 New revision: 390274 URL: https://svnweb.freebsd.org/changeset/ports/390274 Log: Update to 0.8.8d (security: fixes multiple XSS/SQL injection vulnerabilities) PR: 200963 Submitted by: maintainer (freebsd-ports@dan.me.uk) Security: a3929112-181b-11e5-a1cf-002590263bf5 MFH: 2015Q2 Changes: head/net-mgmt/cacti/Makefile head/net-mgmt/cacti/distinfo head/net-mgmt/cacti/pkg-plist
A commit references this bug: Author: delphij Date: Mon Jun 22 06:54:23 UTC 2015 New revision: 390275 URL: https://svnweb.freebsd.org/changeset/ports/390275 Log: MFH: r390274 Update to 0.8.8d (security: fixes multiple XSS/SQL injection vulnerabilities) PR: 200963 Submitted by: maintainer (freebsd-ports@dan.me.uk) Security: a3929112-181b-11e5-a1cf-002590263bf5 Approved by: ports-secteam Changes: _U branches/2015Q2/ branches/2015Q2/net-mgmt/cacti/Makefile branches/2015Q2/net-mgmt/cacti/distinfo branches/2015Q2/net-mgmt/cacti/pkg-plist
Committed, thanks!
(In reply to Xin LI from comment #12) Hi Xin, The quarterly builds appear to be failing as the build machines are trying to apply a patch file that was deleted in r384620 - i'm not sure why it's still trying to apply it. Im not sure who is best to report that too! Thanks, Daniel.
A commit references this bug: Author: delphij Date: Tue Jun 23 18:07:02 UTC 2015 New revision: 390437 URL: https://svnweb.freebsd.org/changeset/ports/390437 Log: MFH: r384620 (partially). There were some patches that was changed and/or removed and this also applies for 0.8.8d. PR: 200963 Approved by: ports-secteam Changes: _U branches/2015Q2/ branches/2015Q2/net-mgmt/cacti/files/patch-include__global.php branches/2015Q2/net-mgmt/cacti/files/patch-include__global_settings.php branches/2015Q2/net-mgmt/cacti/files/patch-install__index.php branches/2015Q2/net-mgmt/cacti/files/patch-lib__rrd.php branches/2015Q2/net-mgmt/cacti/files/pkg-message.in
(In reply to Daniel Austin from comment #13) It was my fault. Fixed in 390437.