Bug 209809 - net-mgmt/cacti: upgrade to 0.8.8h - fix sql vulns
Summary: net-mgmt/cacti: upgrade to 0.8.8h - fix sql vulns
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Kurt Jaeger
URL:
Keywords: patch, patch-ready, security
Depends on:
Blocks: 209022 209456
  Show dependency treegraph
 
Reported: 2016-05-28 13:00 UTC by Daniel Austin
Modified: 2016-06-06 18:29 UTC (History)
1 user (show)

See Also:
freebsd-ports: maintainer-feedback+
pi: merge-quarterly+


Attachments
update to 0.8.8h (3.92 KB, patch)
2016-05-28 13:00 UTC, Daniel Austin
freebsd-ports: maintainer-approval+
Details | Diff
vuxml entry for cacti (1.33 KB, application/xml)
2016-05-28 19:45 UTC, Daniel Austin
freebsd-ports: maintainer-approval+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Austin 2016-05-28 13:00:26 UTC
Created attachment 170749 [details]
update to 0.8.8h

This is a security update for cacti to resolve SQL exploits.

Overview:
 * upgrade to 0.8.8h codebase from vendor
 * fix SQL vulnerabilities including CVE-2016-3659
 * fix USE_MYSQL -> USES:mysql
 * fix deprecated mysql php module requirement (use mysqli instead)
 * fix overwriting of failure/recovery dates after outages

Files added:
 files/patch-lib__functions.php

Files modified:
 Makefile
 distinfo
 pkg-plist
 files/patch-install__index.php


Poudriere testport logs:
https://poudriere.dan.tm/poudriere/data/latest-per-pkg/cacti/0.8.8h/


Please merge-quarterly due to SQL vulns patched.
Comment 1 Daniel Austin 2016-05-28 19:45:56 UTC
Created attachment 170762 [details]
vuxml entry for cacti

sorry - missed the vuxml entry earlier
Comment 2 commit-hook freebsd_committer 2016-05-28 20:10:14 UTC
A commit references this bug:

Author: pi
Date: Sat May 28 20:09:26 UTC 2016
New revision: 416066
URL: https://svnweb.freebsd.org/changeset/ports/416066

Log:
  net-mgmt/cacti: 0.8.8g -> 0.8.8h

  This is a security update for cacti to resolve SQL exploits.
  - upgrade to 0.8.8h codebase from vendor
  - fix SQL vulnerabilities including CVE-2016-3659
  - fix USE_MYSQL -> USES:mysql
  - fix deprecated mysql php module requirement (use mysqli instead)
  - fix overwriting of failure/recovery dates after outages

  PR:		209809
  Submitted by:	Daniel Austin <freebsd-ports@dan.me.uk> (maintainer)
  Security:	CVE-2016-3659
  MFH:		2016Q2

Changes:
  head/net-mgmt/cacti/Makefile
  head/net-mgmt/cacti/distinfo
  head/net-mgmt/cacti/files/patch-install__index.php
  head/net-mgmt/cacti/files/patch-lib__functions.php
  head/net-mgmt/cacti/pkg-plist
Comment 3 commit-hook freebsd_committer 2016-05-29 19:01:29 UTC
A commit references this bug:

Author: pi
Date: Sun May 29 19:01:24 UTC 2016
New revision: 416120
URL: https://svnweb.freebsd.org/changeset/ports/416120

Log:
  Document security issues fixed in cacti 0.8.8h

  PR:		209809
  Reported by:	Daniel Austin <freebsd-ports@dan.me.uk>
  Security:	CVE-2016-3659
  Security:	https://vuxml.FreeBSD.org/freebsd/6167b341-250c-11e6-a6fb-003048f2e514.html

Changes:
  head/security/vuxml/vuln.xml
Comment 4 commit-hook freebsd_committer 2016-05-29 19:12:31 UTC
A commit references this bug:

Author: pi
Date: Sun May 29 19:12:22 UTC 2016
New revision: 416121
URL: https://svnweb.freebsd.org/changeset/ports/416121

Log:
  MFH: r416066

  net-mgmt/cacti: 0.8.8g -> 0.8.8h

  This is a security update for cacti to resolve SQL exploits.
  - upgrade to 0.8.8h codebase from vendor
  - fix SQL vulnerabilities including CVE-2016-3659
  - fix USE_MYSQL -> USES:mysql
  - fix deprecated mysql php module requirement (use mysqli instead)
  - fix overwriting of failure/recovery dates after outages

  PR:		209809
  Submitted by:	Daniel Austin <freebsd-ports@dan.me.uk> (maintainer)
  Security:	CVE-2016-3659
  Approved by:	ports-secteam (junovitch)

Changes:
_U  branches/2016Q2/
  branches/2016Q2/net-mgmt/cacti/Makefile
  branches/2016Q2/net-mgmt/cacti/distinfo
  branches/2016Q2/net-mgmt/cacti/files/patch-install__index.php
  branches/2016Q2/net-mgmt/cacti/files/patch-lib__functions.php
  branches/2016Q2/net-mgmt/cacti/pkg-plist
Comment 5 Kurt Jaeger freebsd_committer 2016-05-29 19:13:45 UTC
MFH done, vuxml done, thanks very much!
Comment 6 commit-hook freebsd_committer 2016-05-31 16:13:47 UTC
A commit references this bug:

Author: pi
Date: Tue May 31 16:12:59 UTC 2016
New revision: 416207
URL: https://svnweb.freebsd.org/changeset/ports/416207

Log:
  net-mgmt/cacti: fix INDEX in quarterly branch

  - no USES=mysql allowed in the quarterly branch

  PR:		209809
  Submitted by:	antoine
  Approved by:	ports-secteam (feld)

Changes:
  branches/2016Q2/net-mgmt/cacti/Makefile
Comment 7 commit-hook freebsd_committer 2016-06-06 18:29:25 UTC
A commit references this bug:

Author: pi
Date: Mon Jun  6 18:29:15 UTC 2016
New revision: 416481
URL: https://svnweb.freebsd.org/changeset/ports/416481

Log:
  net-mgmt/cacti: fix version number in Makefile

  PR:		209809
  Submitted by:	Daniel Austin <freebsd-ports@dan.me.uk> (maintainer)
  Approved by:	ports-secteam (junovitch)
  MFH:		2016Q2

Changes:
  branches/2016Q2/net-mgmt/cacti/Makefile