Bug 245468 - net-mgmt/cacti: Update to 1.2.11
Summary: net-mgmt/cacti: Update to 1.2.11
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Ben Woods
URL: https://github.com/Cacti/cacti/blob/r...
Keywords: security
Depends on:
Blocks:
 
Reported: 2020-04-09 05:36 UTC by Michael Muenz
Modified: 2020-05-23 11:49 UTC (History)
4 users (show)

See Also:


Attachments
Cacti 1.2.11 (1.95 KB, patch)
2020-04-09 05:36 UTC, Michael Muenz
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Muenz 2020-04-09 05:36:46 UTC
Created attachment 213207 [details]
Cacti 1.2.11

- Update to latest version
- Switched maintainer as discussed here:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=245198#c4
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=240999#c2
Comment 1 Ben Woods freebsd_committer 2020-04-10 03:11:39 UTC
Thanks for the patch Michael, and for the approval Dan.

I assume the security issues listed in the changelog do not need a VuXML entry because they have not been assigned CVEs and are just potential improvements as opposed to vulnerabilities?
Comment 2 commit-hook freebsd_committer 2020-04-10 03:15:38 UTC
A commit references this bug:

Author: woodsb02
Date: Fri Apr 10 03:15:19 UTC 2020
New revision: 531284
URL: https://svnweb.freebsd.org/changeset/ports/531284

Log:
  net-mgmt/cacti: Update to 1.2.11

  Also change maintainer to submitter. Thanks for maintaining this port
  for the last 5 years Dan, and for stepping up to the plate Michael!

  Changes this release:
    https://github.com/Cacti/cacti/blob/release/1.2.11/CHANGELOG

  PR:		245468
  Submitted by:	Michael Muenz <m.muenz@gmail.com>
  Approved by:	Daniel Austin <freebsd-ports@dan.me.uk> (maintainer)

Changes:
  head/net-mgmt/cacti/Makefile
  head/net-mgmt/cacti/distinfo
  head/net-mgmt/cacti/pkg-plist
Comment 3 Ben Woods freebsd_committer 2020-04-10 03:16:21 UTC
Committed - thanks!
Comment 4 Kubilay Kocak freebsd_committer freebsd_triage 2020-04-10 03:36:20 UTC
@Ben CVE's are not a requirement or a determinant for whether security releases/vulnerabilities/fixes have VuXML entries added.

Can we get an entry added marking cacti < 1.2.11 vulnerable and get ports r531284 merged to quarterly too please
Comment 5 Ben Woods freebsd_committer 2020-04-10 03:38:53 UTC
To clarify, I do not understand what the cacti developers mean when they tag something in their changelog as security#xxxx.

Does it mean it is a security improvement, where it takes the code from one secure state, to an even more secure state?

Or is it their way as recognizing a security vulnerability and associated fix?
Comment 6 Michael Muenz 2020-04-10 05:41:56 UTC
Let's have quick look:


security#1566: Add SameSite support for cookies
This is a security addition to provide more security to the product itself

security#1985: Cookie should be properly verified against password
Adds additional security 

security#3342: CSRF at Admin Email
https://github.com/Cacti/cacti/issues/3342 a logged in used could change the admin e-mail address. 

security#3343: Improper Access Control on disabling a user.
https://github.com/Cacti/cacti/issues/3343
Seems a user while logged in still can view data while it's disabled.

security#3414: Update to jQuery 3.4.1 to resolve XSS issues with jQuery 3.3.1
https://github.com/Cacti/cacti/issues/3414
Update for dependent lib, if this would be relevat we vuln.xml would explode


I have no idea if something is relevant, but if you mark something as critical I can provide a patch against vuln.xml
Comment 7 commit-hook freebsd_committer 2020-05-05 11:03:19 UTC
A commit references this bug:

Author: dbaio
Date: Tue May  5 11:03:13 UTC 2020
New revision: 534065
URL: https://svnweb.freebsd.org/changeset/ports/534065

Log:
  MFH: r531284 r534006

  net-mgmt/cacti: Update to 1.2.11

  Also change maintainer to submitter. Thanks for maintaining this port
  for the last 5 years Dan, and for stepping up to the plate Michael!

  Changes this release:
    https://github.com/Cacti/cacti/blob/release/1.2.11/CHANGELOG

  PR:		245468
  Submitted by:	Michael Muenz <m.muenz@gmail.com>
  Approved by:	Daniel Austin <freebsd-ports@dan.me.uk> (maintainer)

  net-mgmt/cacti: Update to 1.2.12

  Changelog:	https://github.com/Cacti/cacti/blob/release/1.2.12/CHANGELOG

  PR:		246161
  Submitted by:	Michael Muenz <m.muenz@gmail.com> (maintainer)
  X-MFH-with:	531284
  Security:	cd864f1a-8e5a-11ea-b5b4-641c67a117d8

  Approved by:	ports-secteam (joneum)

Changes:
_U  branches/2020Q2/
  branches/2020Q2/net-mgmt/cacti/Makefile
  branches/2020Q2/net-mgmt/cacti/distinfo
  branches/2020Q2/net-mgmt/cacti/pkg-plist