Comment 1 Tobias C. Berner 2019-12-23 17:12:44 UTC

Moin moin

Could you also prepare the CVE entry for vuln.xml?


Mfg Tobias

Is this handled like a usual port update? I'm not really familiar with this.
Does this look sane:

  <vuln vid="86224a04-26de-11ea-97f2-001a8c5c04b6">
    <topic>cacti -- Missing sanitization checks while deserializating data</topic>
    <affects>
      <package>
        <name>cacti</name>
        <range><lt>1.2.8</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>The cacti developers reports:</p>
        <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17358">
          <p>When deserializating data, ensure basic sanitization has been performed</p>
        </blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2019-17358</cvename>
      <url>https://github.com/Cacti/cacti/releases/tag/release%2F1.2.8</url>
    </references>
    <dates>
      <discovery>2019-12-07</discovery>
      <entry>2019-12-25</entry>
    </dates>
  </vuln>

  <vuln vid="bdb934af-26dd-11ea-97f2-001a8c5c04b6">
    <topic>cacti -- Input variables are not properly checked</topic>
    <affects>
      <package>
        <name>cacti</name>
        <range><lt>1.2.8</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>The cacti developers reports:</p>
        <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17357">
          <p>When viewing graphs, some input variables are not properly checked.</p>
        </blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2019-17357</cvename>
      <url>https://github.com/Cacti/cacti/releases/tag/release%2F1.2.8</url>
    </references>
    <dates>
      <discovery>2019-12-07</discovery>
      <entry>2019-12-25</entry>
    </dates>
  </vuln>

Comment 3 Kai Knoblich 2020-01-01 17:19:44 UTC

(In reply to Michael Muenz from comment #2)

Thank you for the patch and the VuXML entry. The latter one looks ok for the first try but I would suggest to merge the two entries into a single entry.

The recent entry of net/py-urllib3 might be a good example and it's easier to attach the updated VuXML entry as attachment. ;-)

Comment 4 commit-hook 2020-01-06 17:28:15 UTC

A commit references this bug:

Author: kai
Date: Mon Jan  6 17:27:48 UTC 2020
New revision: 522265
URL: https://svnweb.freebsd.org/changeset/ports/522265

Log:
  security/vuxml: Document net-mgmt/cacti issues

  PR:		242834
  Submitted by:	Michael Muenz <m.muenz@gmail.com> (based on)
  Security:	CVE-2019-17357
                  CVE-2019-17358

Changes:
  head/security/vuxml/vuln.xml

Comment 5 Kai Knoblich 2020-01-06 17:32:11 UTC

Comment on attachment 210177 [details]
1.2.8 update

^ Triage: Set approval on attached patch due maintainer's timeout.

Comment 6 commit-hook 2020-01-06 19:03:23 UTC

A commit references this bug:

Author: kai
Date: Mon Jan  6 19:02:42 UTC 2020
New revision: 522267
URL: https://svnweb.freebsd.org/changeset/ports/522267

Log:
  net-mgmt/cacti: Update to 1.2.8

  * Sort pkg-plist to make future patching/comparing easier.

  While I'm here:

  * Use ${COPYTREE_SHARE} to correctly install a whole set of files instead of
    using "cp -R".

  * Also remove a very outdated test was required when updating to the 0.8.7a
    release of net-mgmt/cacti.  It was introduced +12 years ago in r203859 and
    is no longer required nowadays.

  Changelog:

  https://github.com/Cacti/cacti/releases/tag/release%2F1.2.8

  PR:		242834
  Submitted by:	Michael Muenz <m.muenz@gmail.com> (based on)
  Approved by:	maintainer timeout (14 days)
  MFH:		2020Q1
  Security:	86224a04-26de-11ea-97f2-001a8c5c04b6

Changes:
  head/net-mgmt/cacti/Makefile
  head/net-mgmt/cacti/distinfo
  head/net-mgmt/cacti/pkg-plist

Comment 7 Kai Knoblich 2020-01-06 19:09:19 UTC

(In reply to Michael Muenz from comment #0)

Committed to the /head branch, once again thank you for the patch! I left out the changes for the various patches in files/* as they haven't changed and still apply without problems.

Still waiting for approval from the ports-secteam to MFH'ing the changes to the 2020Q1 branch.

Comment 8 commit-hook 2020-01-06 22:35:46 UTC

A commit references this bug:

Author: kai
Date: Mon Jan  6 22:35:02 UTC 2020
New revision: 522286
URL: https://svnweb.freebsd.org/changeset/ports/522286

Log:
  MFH: r522267

  net-mgmt/cacti: Update to 1.2.8

  * Sort pkg-plist to make future patching/comparing easier.

  While I'm here:

  * Use ${COPYTREE_SHARE} to correctly install a whole set of files instead of
    using "cp -R".

  * Also remove a very outdated test was required when updating to the 0.8.7a
    release of net-mgmt/cacti.  It was introduced +12 years ago in r203859 and
    is no longer required nowadays.

  Changelog:

  https://github.com/Cacti/cacti/releases/tag/release%2F1.2.8

  PR:		242834
  Submitted by:	Michael Muenz <m.muenz@gmail.com> (based on)
  Approved by:	maintainer timeout (14 days)
  Security:	86224a04-26de-11ea-97f2-001a8c5c04b6

  Approved by:	ports-secteam (joneum)

Changes:
_U  branches/2020Q1/
  branches/2020Q1/net-mgmt/cacti/Makefile
  branches/2020Q1/net-mgmt/cacti/distinfo
  branches/2020Q1/net-mgmt/cacti/pkg-plist

Comment 9 Kai Knoblich 2020-01-06 22:42:46 UTC

Changes were also merged into the 2020Q1 branch, all done!