Created attachment 165104 [details] Proposed patch The attached patch fixes CVE-2015-8369 (SQL injection vulnerabilities) in net-mgmt/cacti. ports-secteam was CC'ed in case they want to ack the patch and land it as soon as possible.
VuXML in https://svnweb.FreeBSD.org/changeset/ports/405284 IMHO this probably should be fixed sooner rather than later. It is remotely exploitable and there hasn't been an upstream release since July 19th, 2015 so the port patch looks the way to go. I've reviewed the patch and it applies and builds just fine so I am removing 'needs-qa' and adding 'patch-ready'.
(In reply to Jason Unovitch from comment #1) I haven't had chance to test it on my local poudriere yet, but if you're happy with it Jason then i'm happy too. On a separate note, i find cacti awful at communicating anything to people - even when they do release versions!
A commit references this bug: Author: junovitch Date: Wed Jan 6 01:33:24 UTC 2016 New revision: 405325 URL: https://svnweb.freebsd.org/changeset/ports/405325 Log: net-mgmt/cacti: add patch for SQL injection in the graphs.php page PR: 205920 Submitted by: rakuco Approved by: Daniel Austin <freebsd-ports@dan.me.uk> (maintainer) Obtained from: http://svn.cacti.net/viewvc?view=rev&revision=7767 Security: CVE-2015-8369 Security: https://vuxml.FreeBSD.org/freebsd/bb961ff3-b3a4-11e5-8255-5453ed2e2b49.html MFH: 2016Q1 Changes: head/net-mgmt/cacti/Makefile head/net-mgmt/cacti/files/patch-CVE-2015-8369
A commit references this bug: Author: junovitch Date: Wed Jan 6 01:44:13 UTC 2016 New revision: 405326 URL: https://svnweb.freebsd.org/changeset/ports/405326 Log: MFH: r405325 net-mgmt/cacti: add patch for SQL injection in the graphs.php page PR: 205920 Submitted by: rakuco Approved by: Daniel Austin <freebsd-ports@dan.me.uk> (maintainer) Approved by: ports-secteam (miwi) Obtained from: http://svn.cacti.net/viewvc?view=rev&revision=7767 Security: CVE-2015-8369 Security: https://vuxml.FreeBSD.org/freebsd/bb961ff3-b3a4-11e5-8255-5453ed2e2b49.html Changes: _U branches/2016Q1/ branches/2016Q1/net-mgmt/cacti/Makefile branches/2016Q1/net-mgmt/cacti/files/patch-CVE-2015-8369
Set merge-quarterly+ and close PR.