Created attachment 210177 [details] 1.2.8 update Enclosed patch for latest 1.2.8. Please note, this release is security relevant, CVE!
Moin moin Could you also prepare the CVE entry for vuln.xml? Mfg Tobias
Is this handled like a usual port update? I'm not really familiar with this. Does this look sane: <vuln vid="86224a04-26de-11ea-97f2-001a8c5c04b6"> <topic>cacti -- Missing sanitization checks while deserializating data</topic> <affects> <package> <name>cacti</name> <range><lt>1.2.8</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>The cacti developers reports:</p> <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17358"> <p>When deserializating data, ensure basic sanitization has been performed</p> </blockquote> </body> </description> <references> <cvename>CVE-2019-17358</cvename> <url>https://github.com/Cacti/cacti/releases/tag/release%2F1.2.8</url> </references> <dates> <discovery>2019-12-07</discovery> <entry>2019-12-25</entry> </dates> </vuln> <vuln vid="bdb934af-26dd-11ea-97f2-001a8c5c04b6"> <topic>cacti -- Input variables are not properly checked</topic> <affects> <package> <name>cacti</name> <range><lt>1.2.8</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>The cacti developers reports:</p> <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17357"> <p>When viewing graphs, some input variables are not properly checked.</p> </blockquote> </body> </description> <references> <cvename>CVE-2019-17357</cvename> <url>https://github.com/Cacti/cacti/releases/tag/release%2F1.2.8</url> </references> <dates> <discovery>2019-12-07</discovery> <entry>2019-12-25</entry> </dates> </vuln>
(In reply to Michael Muenz from comment #2) Thank you for the patch and the VuXML entry. The latter one looks ok for the first try but I would suggest to merge the two entries into a single entry. The recent entry of net/py-urllib3 might be a good example and it's easier to attach the updated VuXML entry as attachment. ;-)
A commit references this bug: Author: kai Date: Mon Jan 6 17:27:48 UTC 2020 New revision: 522265 URL: https://svnweb.freebsd.org/changeset/ports/522265 Log: security/vuxml: Document net-mgmt/cacti issues PR: 242834 Submitted by: Michael Muenz <m.muenz@gmail.com> (based on) Security: CVE-2019-17357 CVE-2019-17358 Changes: head/security/vuxml/vuln.xml
Comment on attachment 210177 [details] 1.2.8 update ^ Triage: Set approval on attached patch due maintainer's timeout.
A commit references this bug: Author: kai Date: Mon Jan 6 19:02:42 UTC 2020 New revision: 522267 URL: https://svnweb.freebsd.org/changeset/ports/522267 Log: net-mgmt/cacti: Update to 1.2.8 * Sort pkg-plist to make future patching/comparing easier. While I'm here: * Use ${COPYTREE_SHARE} to correctly install a whole set of files instead of using "cp -R". * Also remove a very outdated test was required when updating to the 0.8.7a release of net-mgmt/cacti. It was introduced +12 years ago in r203859 and is no longer required nowadays. Changelog: https://github.com/Cacti/cacti/releases/tag/release%2F1.2.8 PR: 242834 Submitted by: Michael Muenz <m.muenz@gmail.com> (based on) Approved by: maintainer timeout (14 days) MFH: 2020Q1 Security: 86224a04-26de-11ea-97f2-001a8c5c04b6 Changes: head/net-mgmt/cacti/Makefile head/net-mgmt/cacti/distinfo head/net-mgmt/cacti/pkg-plist
(In reply to Michael Muenz from comment #0) Committed to the /head branch, once again thank you for the patch! I left out the changes for the various patches in files/* as they haven't changed and still apply without problems. Still waiting for approval from the ports-secteam to MFH'ing the changes to the 2020Q1 branch.
A commit references this bug: Author: kai Date: Mon Jan 6 22:35:02 UTC 2020 New revision: 522286 URL: https://svnweb.freebsd.org/changeset/ports/522286 Log: MFH: r522267 net-mgmt/cacti: Update to 1.2.8 * Sort pkg-plist to make future patching/comparing easier. While I'm here: * Use ${COPYTREE_SHARE} to correctly install a whole set of files instead of using "cp -R". * Also remove a very outdated test was required when updating to the 0.8.7a release of net-mgmt/cacti. It was introduced +12 years ago in r203859 and is no longer required nowadays. Changelog: https://github.com/Cacti/cacti/releases/tag/release%2F1.2.8 PR: 242834 Submitted by: Michael Muenz <m.muenz@gmail.com> (based on) Approved by: maintainer timeout (14 days) Security: 86224a04-26de-11ea-97f2-001a8c5c04b6 Approved by: ports-secteam (joneum) Changes: _U branches/2020Q1/ branches/2020Q1/net-mgmt/cacti/Makefile branches/2020Q1/net-mgmt/cacti/distinfo branches/2020Q1/net-mgmt/cacti/pkg-plist
Changes were also merged into the 2020Q1 branch, all done!