Release of Cacti 0.8.8c

Sunday, November 23 2014 @ 11:08 PM CST

Contributed by: Linegod

We the Cacti Group are proud to release the following:
Cacti 0.8.8c
Spine 0.8.8c

Important Security Fixes
CVE-2013-5588 - XSS issue via installer or device editing
CVE-2013-5589 - SQL injection vulnerability in device editing
CVE-2014-2326 - XSS issue via CDEF editing
CVE-2014-2327 - Cross-site request forgery (CSRF) vulnerability
CVE-2014-2328 - Remote Command Execution Vulnerability in graph export
CVE-2014-4002 - XSS issues in multiple files
CVE-2014-5025 - XSS issue via data source editing
CVE-2014-5026 - XSS issues in multiple files

Important Updates
New graph tree view
Updated graph list and graph preview
Refactor graph tree view to remove GPL incompatible code
Updated command line database upgrade utility
Graph zooming now from everywhere

Cacti 0.8.8c Change Log
bug#0002228: GPL incompatible files included in Cacti project in include/treeview
bug#0002383: Sanitize the step and id variables CVE-2013-5588, CVE-2013-5589
bug#0002385: Cannot export host templates while including dependencies
bug#0002386: cli/upgrade_database.php is missing the last two releases
bug#0002390: Poller/script issue with slash and backslash
bug#0002405: SQL injection in graph_xport.php
bug#0002431: CVE-2014-2326 Unspecified HTML Injection Vulnerability
bug#0002432: CVE-2014-2327 Cross Site Request Forgery Vulnerability - Special Thanks to Deutsche Telekom CERT
bug#0002433: CVE-2014-2328 Unspecified Remote Command Execution Vulnerability
bug#0002434: Suppress SNMP UNITS Suffix from cacti_snmp_get() output
bug#0002438: Down Host Detection issue when using SNMP Desc or SNMP getNext
bug#0002446: Subtract plugin processing time from Poller sleep time
bug#0002453: CVE-2014-4002 Cross-Site Scripting Vulnerability - Special Thanks to G. Geshev (munmap)
bug#0002455: Incomplete and incorrect input parsing leads to remote code execution and SQL injection attack scenarios
bug#0002456: CVE-2014-5025 / CVE-2014-5026 - Cross-Site Scripting Vulnerability - Special Thanks to Adan Alvarez and Paul Gevers
bug: Fix COMMENT handling, even in case COMMENT is empty, with or without HR and with variable substitution
bug: Fix issues when SNMP data holds a "="; "explode" must be treated accordingly
bug: Fix filter highlighting on data sources for the data template field
bug: correct description of SNMP V3 parameters
feature: Added native jquery, jqueryui, and jstree
feature: Fixed issues with 'Clear' under preview not working
feature: Added new Tree navigation
feature: Added Columns and Thumbnails to Preview
feature: Added Columns to Tree (Preview only)
feature: Both Graphs and Columns default to 'Default'
feature: Resolved Left hand navigation taking entire page
feature: Added new graph zoom to tree view and preview offering a "quick" (default) and an "advanced" mode

Reporting Bugs

http://www.cacti.net/bugs.php

Download Cacti

http://www.cacti.net/download_cacti.php

Download Spine

http://www.cacti.net/spine_download.php

Thanks!
The Cacti Group

http://forums.cacti.net/viewtopic.php?f=4&t=53725

Comments (0)



Warped Systems
https://www.warpedsystems.sk.ca/article.php/20141123230807723