Bug 205920 - net-mgmt/cacti: Add patch for CVE-2015-8369
Summary: net-mgmt/cacti: Add patch for CVE-2015-8369
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Raphael Kubo da Costa
URL:
Keywords: patch, patch-ready, security
Depends on:
Blocks:
 
Reported: 2016-01-05 13:08 UTC by Raphael Kubo da Costa
Modified: 2016-01-06 01:47 UTC (History)
4 users (show)

See Also:
freebsd-ports: maintainer-feedback+
junovitch: merge-quarterly+


Attachments
Proposed patch (16.64 KB, patch)
2016-01-05 13:08 UTC, Raphael Kubo da Costa
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Raphael Kubo da Costa freebsd_committer 2016-01-05 13:08:08 UTC
Created attachment 165104 [details]
Proposed patch

The attached patch fixes CVE-2015-8369 (SQL injection vulnerabilities) in net-mgmt/cacti.

ports-secteam was CC'ed in case they want to ack the patch and land it as soon as possible.
Comment 1 Jason Unovitch freebsd_committer 2016-01-06 01:15:51 UTC
VuXML in https://svnweb.FreeBSD.org/changeset/ports/405284

IMHO this probably should be fixed sooner rather than later.  It is remotely exploitable and there hasn't been an upstream release since July 19th, 2015 so the port patch looks the way to go.  I've reviewed the patch and it applies and builds just fine so I am removing 'needs-qa' and adding 'patch-ready'.
Comment 2 Daniel Austin 2016-01-06 01:19:18 UTC
(In reply to Jason Unovitch from comment #1)
I haven't had chance to test it on my local poudriere yet, but if you're happy with it Jason then i'm happy too.

On a separate note, i find cacti awful at communicating anything to people - even when they do release versions!
Comment 3 commit-hook freebsd_committer 2016-01-06 01:33:45 UTC
A commit references this bug:

Author: junovitch
Date: Wed Jan  6 01:33:24 UTC 2016
New revision: 405325
URL: https://svnweb.freebsd.org/changeset/ports/405325

Log:
  net-mgmt/cacti: add patch for SQL injection in the graphs.php page

  PR:		205920
  Submitted by:	rakuco
  Approved by:	Daniel Austin <freebsd-ports@dan.me.uk> (maintainer)
  Obtained from:	http://svn.cacti.net/viewvc?view=rev&revision=7767
  Security:	CVE-2015-8369
  Security:	https://vuxml.FreeBSD.org/freebsd/bb961ff3-b3a4-11e5-8255-5453ed2e2b49.html
  MFH:		2016Q1

Changes:
  head/net-mgmt/cacti/Makefile
  head/net-mgmt/cacti/files/patch-CVE-2015-8369
Comment 4 commit-hook freebsd_committer 2016-01-06 01:44:48 UTC
A commit references this bug:

Author: junovitch
Date: Wed Jan  6 01:44:13 UTC 2016
New revision: 405326
URL: https://svnweb.freebsd.org/changeset/ports/405326

Log:
  MFH: r405325

  net-mgmt/cacti: add patch for SQL injection in the graphs.php page

  PR:		205920
  Submitted by:	rakuco
  Approved by:	Daniel Austin <freebsd-ports@dan.me.uk> (maintainer)
  Approved by:	ports-secteam (miwi)
  Obtained from:	http://svn.cacti.net/viewvc?view=rev&revision=7767
  Security:	CVE-2015-8369
  Security:	https://vuxml.FreeBSD.org/freebsd/bb961ff3-b3a4-11e5-8255-5453ed2e2b49.html

Changes:
_U  branches/2016Q1/
  branches/2016Q1/net-mgmt/cacti/Makefile
  branches/2016Q1/net-mgmt/cacti/files/patch-CVE-2015-8369
Comment 5 Jason Unovitch freebsd_committer 2016-01-06 01:47:41 UTC
Set merge-quarterly+ and close PR.