Important Security Fixes
CVE-2013-5588 - XSS issue via installer or device editing
CVE-2013-5589 - SQL injection vulnerability in device editing
CVE-2014-2326 - XSS issue via CDEF editing
CVE-2014-2327 - Cross-site request forgery (CSRF) vulnerability
CVE-2014-2328 - Remote Command Execution Vulnerability in graph export
CVE-2014-4002 - XSS issues in multiple files
CVE-2014-5025 - XSS issue via data source editing
CVE-2014-5026 - XSS issues in multiple files
Important Updates
New graph tree view
Updated graph list and graph preview
Refactor graph tree view to remove GPL incompatible code
Updated command line database upgrade utility
Graph zooming now from everywhere
1.) Handle installation of the script to determine the amount of free
memory and swap space on the local machine automatically.
2.) Fix the NetBSD implementation of the above script.
3.) Create a wrapper shell script for invoking Cacti's poller.
4.) Simplify the installation instrunctions using the above enhancements.
5.) Don't included the log file in the package list. It doesn't belong
there and "pkg_delete" will correctly complain that it has been
modified.
ToDo:
- The log file and the "rrdtool" database still need to be moved to
a directory under "${VARBASE}".
- "config.php" should really be a config file to allow using a
non-default password for the MySQL database. But the file would have
to be readable by both the user of the webserver and that cacti user.
- bug: Fixed issue with custom data source information being lost when
saved from edit
- bug: Repopulate the poller cache on new installations
- bug: Fix issue with poller not escaping the script query path correctly
- bug: Allow snmpv3 priv proto none
- bug: Fix issue where host activate may flush the entire poller item
cache
-security: SQL injection and shell escaping issues
Also add the fix for the security vulnerability reported in SA54531
taken from the SVN repository.
to address issues with NetBSD-6(and earlier)'s fontconfig not being
new enough for pango.
While doing that, also bump freetype2 dependency to current pkgsrc
version.
Suggested by tron in PR 47882
0.8.8a:
Important Notices
Plugin Architecture is now part of Cacti
Changelog
bug#0002207: cannot export graph templates
bug#0002208: Graphs with CDEFs fail to generate
bug#0002209: External auth does not work behind a reverse proxy
bug#0002211: creating an index USING BTREE fails ony MySQL < 5.0.60
bug#0002213: CLI upgrade script is missing 0.8.7i as a target
bug#0002214: SQL error during non-PIA upgrade to 088 when giving a default for a text field in plugin_realms
bug#0002216: use of define_syslog_variables() gone in PHP 5.4
bug#0002217: url_path should default to /cacti/
bug#0002221: Missing plugin directory causes endless loop in plugins.php
bug#0002222: tail_logfile hangs when cacti.log not readable, filling apache log with fgets warnings
0.8.8:
Important Notices
Plugin Architecture is now part of Cacti
Changelog
bug#0002056: un-initialized datetime used for host status (was: Zero length string != NULL)
bug#0002081: In Graph Management, search display graph title breaks when using pattern symbol "/"
bug#0002132: need to include pa.sql with the 0.8.7i and future releases
bug#0002134: rebuild_poller_cache.php --host-id deletes table poller_item completely
bug#0002141: cacti.sql missing BTREE PRIMARY KEY for poller_output
bug#0002146: Utilities -> View Log File -> refresh does not work
bug#0002150: usort_data_query_index() is broken -> graph order for hosts with data query sort option fails
bug#0002151: When building HTML forms with sub_checkbox on_change parameter is not used
bug#0002152: Issue with filter on graphs_new.php
bug#0002153: Cant search for patterns containing a forward-slash
bug#0002156: CDEF strings are not escaped before passed to rrdtool command
bug#0002158: Minor changes to grammar of displayed messages
bug#0002165: Using data input field in data source name (related to 2079 in 0.8.7i)
bug#0002167: New poller hook poller_finishing
bug#0002172: structure_rra_paths.php does not handle disabled data sources
bug#0002174: poller_item.host_id has wrong type
bug#0002178: typo in include/global_form.php: Mimimum -> Minimum
bug#0002181: session_unregister (use in functions.php) doesn't exist anymore in PHP 5.4
bug#0002182: When there is no suitable (unique) index, graphs are not shown in data query ordering on host leafs
bug#0002189: Proper graph hooks
bug#0002191: Refresh issues
bug#0002194: changing data query XML does not propagate to existing data sources
bug: Fix input validation on cli/api_device.php
bug: Fix issue with data source template associate command line script inserting incorrect rra information
bug: Fix minor display issue on data source pages
bug: Fix minor issue with counting items in the poller_output table
bug: Graph settings and settings check boxes do not allow unchecking to be saved
bug: Fix minor issue with plugin library caused by non-session
bug: Fix SQL error on data input save for non-templated graphs
bug: user_log index added to increase performance
feature: Merge Plugin Architecture into Cacti
feature: Added index to data_template_data to increase performance
bug#0001963: Bandwidth summation "total in" and "total out"
are always 0
bug#0002040: ICMP ping errors for Windows 7 with PHP 5.3
bug#0002062: Multiple security vulnerabilities
bug#0002063: Multiple value poller output incorrectly interpreted
as hexadecimal value
bug#0002064: Removing "~" (tilde) by sanitize_uri() conflicts with
Apache UserDir translation
bug#0002066: Graph without host id "Notice: Undefined variable:
host_id"
bug#0002067: Custom time range filter not working
bug#0002068: Missing header include in analyze_database.php
bug#0002071: MySQL table poller_item is dropped always when "Data
Input Method" is changed or added.
bug#0002079: Using input field of a script in graph title does not
work
bug#0002080: Database password containing "@" does not connect
bug#0002083: Adding a new users generates errors in apache logs
bug#0002084: Incorrect normalization of hrStorageTable values
over 2^31
bug#0002086: Incorrect usage of mysql custom tcp port
bug#0002087: PHP recache problems due to missing slashes in reindex
table
bug#0002093: Unit exponent value of 0 not imported with graph
template
bug#0002094: CDEF: "another cdef" references not included in
template export
bug#0002106: Command line add device does not accept "None" for
host template
bug: Update host template cli script help to fix incorrect options
bug: Refresh of Cacti log viewer not working
bug: Problems saving User Graph Permissions in IE9
bug: Bandwidth summation fails if NAN values are present
bug: Special Type Code "host_id" available in Data Queries by Not
Data Input Methods
bug: Do not generate error messages when creating non host based
graphs
bug: Wrong index used for Data Queries using VALUE/REGEXP
bug: Fix issue with title variable replacement failing when no host
is associated with graph
bug: Cacti generating MySQL 1100 Errors when modifying the tree
bug: Resolved "Fatal error: Cannot use string offset as an array"
in lib/data_query.php
feature: Properly support ifHighSpeed replacement variable
feature: Increase granularity of availability options to correct
spine bug
feature: Replace "event count" with last changed date for host
availability
information to create graphs and populates them with data in a MySQL
database. The frontend is completely PHP driven. Along with being able
to maintain Graphs, Data Sources, and Round Robin Archives in a
database, cacti handles the data gathering also. There is also SNMP
support for those used to creating traffic graphs with MRTG.
The Plugin Architecture for Cacti was designed to be both simple in nature
and robust enough to allow freedom to do almost anything in Cacti. The
Plugin Architecture for Cacti is integrated into this package.
(created from wip/cacti by pettai)
