Update Info

openSUSE-2020-1106


Security update for cacti, cacti-spine


Type: security
Severity: moderate
Issued: 2020-07-27
Description:
This update for cacti, cacti-spine fixes the following issues:

- cacti 1.2.13:

  * Query XSS vulnerabilities require vendor package update
    (CVE-2020-11022 / CVE-2020-11023)
  * Lack of escaping on some pages can lead to XSS exposure
  * Update PHPMailer to 6.1.6 (CVE-2020-13625)
  * SQL Injection vulnerability due to input validation failure when
    editing colors (CVE-2020-14295, boo#1173090)
  * Lack of escaping on template import can lead to XSS exposure

- switch from cron to systemd timers (boo#1115436):
  + cacti-cron.timer
  + cacti-cron.service
- avoid potential root escalation on systems with fs.protected_hardlinks=0
  (boo#1154087): handle directory permissions in file section instead
  of using chown during post installation
- rewrote apache configuration to get rid of .htaccess files and 
  explicitely disable directory permissions per default 
  (only allow a limited, well-known set of directories)


This update was imported from the openSUSE:Leap:15.1:Update update project.

              

Packages


  • cacti-spine-1.2.13-bp151.4.12.1
  • cacti-1.2.13-bp151.4.12.1