SUSE Package Hub - openSUSE-2020-1060

Update Info

openSUSE-2020-1060

Security update for cacti, cacti-spine

Type: security

Severity: moderate

Issued: 2020-07-25

Description:

This update for cacti, cacti-spine fixes the following issues:

- cacti 1.2.13:

  * Query XSS vulnerabilities require vendor package update
    (CVE-2020-11022 / CVE-2020-11023)
  * Lack of escaping on some pages can lead to XSS exposure
  * Update PHPMailer to 6.1.6 (CVE-2020-13625)
  * SQL Injection vulnerability due to input validation failure when
    editing colors (CVE-2020-14295, boo#1173090)
  * Lack of escaping on template import can lead to XSS exposure

- switch from cron to systemd timers (boo#1115436):
  + cacti-cron.timer
  + cacti-cron.service
- avoid potential root escalation on systems with fs.protected_hardlinks=0
  (boo#1154087): handle directory permissions in file section instead
  of using chown during post installation
- rewrote apache configuration to get rid of .htaccess files and 
  explicitely disable directory permissions per default 
  (only allow a limited, well-known set of directories)

References

CVE: CVE-2020-14295
CVE: CVE-2020-13625
CVE: CVE-2020-11023
CVE: CVE-2020-11022
Bugzilla: 1173090 https://bugzilla.opensuse.org/show_bug.cgi?id=1173090
Bugzilla: 1154087 AUDIT-FIND: cacti: LPE from wwwrun to root
Bugzilla: 1115436 cacti: migrate from cron to systemd timers

Packages

cacti-spine-1.2.13-8.1

cacti-1.2.13-11.1