A cacti, cacti-spine security update has been released for SUSE Linux Enterprise.

openSUSE-SU-2023:0275-1: important: Security update for cacti, cacti-spine

openSUSE Security Update: Security update for cacti, cacti-spine
_______________________________

Announcement ID: openSUSE-SU-2023:0275-1
Rating: important
References: #1215040 #1215042 #1215043 #1215044 #1215045
#1215047 #1215050 #1215051 #1215052 #1215053
#1215054 #1215055 #1215056 #1215058 #1215059
#1215081 #1215082
Cross-References: CVE-2023-30534 CVE-2023-39357 CVE-2023-39358
CVE-2023-39359 CVE-2023-39360 CVE-2023-39361
CVE-2023-39362 CVE-2023-39364 CVE-2023-39365
CVE-2023-39366 CVE-2023-39510 CVE-2023-39511
CVE-2023-39512 CVE-2023-39513 CVE-2023-39514
CVE-2023-39515 CVE-2023-39516
CVSS scores:
CVE-2023-30534 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE-2023-39357 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2023-39358 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2023-39359 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2023-39360 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2023-39361 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2023-39362 (NVD) : 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2023-39364 (NVD) : 3.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
CVE-2023-39365 (NVD) : 4.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L
CVE-2023-39366 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
CVE-2023-39510 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
CVE-2023-39511 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
CVE-2023-39512 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
CVE-2023-39513 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
CVE-2023-39514 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
CVE-2023-39515 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
CVE-2023-39516 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

Affected Products:
SUSE Linux Enterprise High Performance Computing 12
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 12-SP3
SUSE Linux Enterprise Server 12-SP4
SUSE Linux Enterprise Server 12-SP5
SUSE Linux Enterprise Server for SAP Applications 12
SUSE Linux Enterprise Server for SAP Applications 12-SP3
SUSE Linux Enterprise Server for SAP Applications 12-SP4
SUSE Linux Enterprise Server for SAP Applications 12-SP5
SUSE Package Hub for SUSE Linux Enterprise 12
openSUSE Backports SLE-15-SP4
openSUSE Backports SLE-15-SP5
_______________________________

An update that fixes 17 vulnerabilities is now available.

Description:

This update for cacti, cacti-spine fixes the following issues:

cacti-spine 1.2.25:

* Spine should see if script to be executed is executable
* Enhance number recognition
* When polling devices, sort by larger number of items first
* Log format may be corrupted when timeout occurs
* Compile warning appears due to GCC flag on RHEL7/RHEL8
* Downed device detection only checks one of the two uptime OIDs
* Compile error appears due to execinfo.h on FreeBSD
* Bootstrap shell script contains some PHP cruft
* Padding is not always removed from the start of non-numeric strings
* Improve SNMP result handling for non-numeric results
* Further improve SNMP result handling for non-numeric results
* Remove check for the max_oids column which has been present since Cacti
v1.0
* Minimize Sorting when fetching poller records for maximum performance
* Spine should see if script to be executed is executable

cacti-spine 1.2.24:

* Fix segfault when ignoring older OIDs

cacti 1.2.25:

* CVE-2023-30534: Protect against Insecure deserialization of filter data
(boo#1215082)
* CVE-2023-39360: Cross-Site Scripting vulnerability when creating new
graphs (boo#1215044)
* CVE-2023-39361: Unauthenticated SQL Injection when viewing graphs
(boo#1215045)
* CVE-2023-39357: SQL Injection when saving data with sql_save()
(boo#1215040)
* CVE-2023-39362: Authenticated command injection when using SNMP options
(boo#1215047)
* CVE-2023-39359: Authenticated SQL injection vulnerability when managing
graphs (boo#1215043)
* CVE-2023-39358: Authenticated SQL injection vulnerability when managing
reports (boo#1215042)
* CVE-2023-39365: SQL Injection when using regular expressions
(boo#1215051)
* CVE-2023-39364: redirect in change password functionality (boo#1215050)
* CVE-2023-39366: Cross-Site Scripting vulnerability with Device Name when
managing Data Sources (boo#1215052)
* CVE-2023-39510: Cross-Site Scripting vulnerability with Device Name when
administrating Reports (boo#1215053)
* CVE-2023-39511: Cross-Site Scripting vulnerability with Device Name when
editing Graphs whilst managing Reports (boo#1215081)
* CVE-2023-39512: Cross-Site Scripting vulnerability with Device Name when
managing Data Sources (boo#1215054)
* CVE-2023-39513: Cross-Site Scripting vulnerability with Device Name when
debugging data queries (boo#1215055)
* CVE-2023-39514: Cross-Site Scripting vulnerability with Data Source Name
when managing Graphs (boo#1215056)
* CVE-2023-39515: Cross-Site Scripting vulnerability with Data Source Name
when debugging Data Queries (boo#1215058)
* CVE-2023-39516: Cross-Site Scripting vulnerability with Data Source
Information when managing Data Sources (boo#1215059)
* When rebuilding the Poller Cache from command line, allow it to be
multi-threaded
* When searching tree or list views, the URL does not update after changes
* When creating a Data Source Template with a specific snmp port, the port
is not always applied
* When a Data Query references a file, the filename should be trimmed to
remove spurious spaces
* THold plugin may not always install or upgrade properly
* RRD file structures are not always updated properly, if there are more
Data Sources in the Data Template than the Graph Template
* When reindexing devices, errors may sometimes be shown
* Boost may loose data when the database server is overloaded
* Boost can sometimes output unexpected or invalid values
* Boost should not attempt to start if there are no items to process
* Rebuilding the poller cache does not always work as expected
* Host CPU items may not work poll as expected when on a remote data
collector where hmib is also enabled
* When creating new graphs, invalid offset errors may be generated
* When importing packages, SQL errors may be generated
* When managing plugins from command line, the --plugin option is not
properly handled
* When automating an install of Cacti, error messages can be appear
* When performing automated install of a plugin, warnings can be thrown
* Automation references the wrong table name causing errors
* Data Source Info Mode produces invalid recommendations
* Data Source Debug 'Run All' generates too many log messages
* The description of rebuild poller cache in utilities does not display
properly
* When reindexing a device, debug information may not always display
properly
* Upon displaying a form with errors, the session error fields variable
isn't cleared
* MariaDB clusters will no longer support exclusive locks
* RRDtool can fail to update when sources in Data Template and Graph
Template data sources do not match
* Compatibility improvements for Boost under PHP 8.x
* When searching the tree, increase the time before querying for items
* Device Location drop down does not always populate correctly
* When viewing Realtime graphs, undefined variable errors may be reported
* SNMP Uptime is not always ignored for spikekills
* Improve detection of downed Devices
* When reporting missing functions from Plugins, ensure messages do not
occur too often
* When starting the Cacti daemon, database errors may be reported when
there is no problem
* When reporting from RRDcheck, ensure prefix is in the correct casing
* Improve Orphaned Data Source options and display
* Parsing the PHP Configuration may sometimes produce errors
* Security processes attempt to check for a user lockout even if there is
no user logged in
* When attempting to edit a tree, the search filter for Graphs remains
disabled
* When reindexing, a Data Source that could be un-orphaned may not always
be unorphaned
* When parsing a date value, there could be more than 30 chars
* Untemplated Data Sources can fail to update due to lack of an assigned
Graph
* When processing items to check, do not include disabled hosts
* When saving a Data Source Template, SQL errors may be reported
* When importing a Template, errors may be recorded
* Some display strings have invalid formatting that cannot be parsed
* When filtering with regular expressions, the 'does not match' option
does not always function as expected
* When enabling a plugin, sometimes it can appear as if nothing happens
* Ensure the Rows Per Page option shows limitations set by configuration
* Plugins are unable to modify fields in the setting 'Change Device
Settings'
* When reporting emails being sent, ensure BCC addresses are also included
* Improve compatibility of SNMP class trim handling under PHP 8.x
* When importing legacy Data Query Templates, the Template can become
unusable
* Provide ability to raise an event when extending the settings form
* Prevent unsupported SQL Mode flags from being set
* The DSStats summary does not always display expected values
* When performing a fresh install, device classification may be missing.
* Duplication functions for Graph/Template and Data Source/Template do not
return and id
* Duplication of Device Templates should be an API call
* Unable to convert database to latin1 instead of utf8 if desired
* When creating Graphs, the process may become slower over time as more
items exist
* When a bulk walk size is set to automatic, this is not always set to the
optimal value
* Update copyright notice on import packages
* When viewing Orphan Graphs, SQL errors may be reported
* When reindexing hosts from command line, ensure only one process runs at
once
* When a Data Query has no Graphs, it may not be deletable
* When duplicating a Graph Template, provide an option to not duplicate
Data Query association
* When duplicating a Data Template errors can appear in the Cacti log
* When importing a Package, previewing makes unexpected changes to Cacti
Templates
* When enabling boost on a fresh install, an error may be reported
* Improve compatibility for backtrace logging under PHP 8.x
* Improve compatibility for Advanced Ping under PHP 8.x
* Provide new templates for Fortigate and Aruba Cluster to be available
during install
* Provide new template for SNMP Printer to be available during install
* When importing devices, allow a device classification to be known
* Extend length of maximum name in settings table
* Extend length of maximum name in user settings table
* Data Queries do not have a Duplication function
* Upgrade d3.js v7.8.2 and billboard.js v3.7.4
* Upgrade ua-parser.js to version 1.0.35
* Update Cisco Device Template to include HSRP graph template
* New hook for device template change 'device_template_change'

cacti 1.2.24

* Fix: Unable to import Local Linux Machine template
* Fix multiple charting and display issues
* Compatibility changes for SNMP under PHP 8.2, and other PHP
compatibility updates
* Fix multiple issues editing settings
* timeout fixes for Basic Auth
* multiple data poller bug fixes

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP5:

zypper in -t patch openSUSE-2023-275=1

- openSUSE Backports SLE-15-SP4:

zypper in -t patch openSUSE-2023-275=1

- SUSE Package Hub for SUSE Linux Enterprise 12:

zypper in -t patch openSUSE-2023-275=1

Package List:

- openSUSE Backports SLE-15-SP5 (aarch64 i586 ppc64le s390x x86_64):

cacti-spine-1.2.25-bp155.2.3.1
cacti-spine-debuginfo-1.2.25-bp155.2.3.1
cacti-spine-debugsource-1.2.25-bp155.2.3.1

- openSUSE Backports SLE-15-SP5 (noarch):

cacti-1.2.25-bp155.2.3.1

- openSUSE Backports SLE-15-SP4 (aarch64 i586 ppc64le s390x x86_64):

cacti-spine-1.2.25-bp154.2.9.1

- openSUSE Backports SLE-15-SP4 (noarch):

cacti-1.2.25-bp154.2.9.1

- SUSE Package Hub for SUSE Linux Enterprise 12 (aarch64 ppc64le s390x x86_64):

cacti-spine-1.2.25-29.1

- SUSE Package Hub for SUSE Linux Enterprise 12 (noarch):

cacti-1.2.25-35.1

References:

https://www.suse.com/security/cve/CVE-2023-30534.html
https://www.suse.com/security/cve/CVE-2023-39357.html
https://www.suse.com/security/cve/CVE-2023-39358.html
https://www.suse.com/security/cve/CVE-2023-39359.html
https://www.suse.com/security/cve/CVE-2023-39360.html
https://www.suse.com/security/cve/CVE-2023-39361.html
https://www.suse.com/security/cve/CVE-2023-39362.html
https://www.suse.com/security/cve/CVE-2023-39364.html
https://www.suse.com/security/cve/CVE-2023-39365.html
https://www.suse.com/security/cve/CVE-2023-39366.html
https://www.suse.com/security/cve/CVE-2023-39510.html
https://www.suse.com/security/cve/CVE-2023-39511.html
https://www.suse.com/security/cve/CVE-2023-39512.html
https://www.suse.com/security/cve/CVE-2023-39513.html
https://www.suse.com/security/cve/CVE-2023-39514.html
https://www.suse.com/security/cve/CVE-2023-39515.html
https://www.suse.com/security/cve/CVE-2023-39516.html
https://bugzilla.suse.com/1215040
https://bugzilla.suse.com/1215042
https://bugzilla.suse.com/1215043
https://bugzilla.suse.com/1215044
https://bugzilla.suse.com/1215045
https://bugzilla.suse.com/1215047
https://bugzilla.suse.com/1215050
https://bugzilla.suse.com/1215051
https://bugzilla.suse.com/1215052
https://bugzilla.suse.com/1215053
https://bugzilla.suse.com/1215054
https://bugzilla.suse.com/1215055
https://bugzilla.suse.com/1215056
https://bugzilla.suse.com/1215058
https://bugzilla.suse.com/1215059
https://bugzilla.suse.com/1215081
https://bugzilla.suse.com/1215082