| Revision Date: | 2020-07-27 | Version: | 1 |
| Title: | Security update for cacti, cacti-spine (Moderate) |
| Description: |
This update for cacti, cacti-spine fixes the following issues:
- cacti 1.2.13:
* Query XSS vulnerabilities require vendor package update (CVE-2020-11022 / CVE-2020-11023) * Lack of escaping on some pages can lead to XSS exposure * Update PHPMailer to 6.1.6 (CVE-2020-13625) * SQL Injection vulnerability due to input validation failure when editing colors (CVE-2020-14295, boo#1173090) * Lack of escaping on template import can lead to XSS exposure
- switch from cron to systemd timers (boo#1115436): + cacti-cron.timer + cacti-cron.service - avoid potential root escalation on systems with fs.protected_hardlinks=0 (boo#1154087): handle directory permissions in file section instead of using chown during post installation - rewrote apache configuration to get rid of .htaccess files and explicitely disable directory permissions per default (only allow a limited, well-known set of directories)
This update was imported from the openSUSE:Leap:15.1:Update update project.
|
| Family: | unix | Class: | patch |
| Status: | | Reference(s): | 1115436
1154087
1173090
CVE-2020-11022
CVE-2020-11023
CVE-2020-13625
CVE-2020-14295
openSUSE-SU-2020:1106-1
|
| Platform(s): | SUSE Linux Enterprise High Performance Computing 15 SP1
SUSE Linux Enterprise Server 15 SP1
SUSE Linux Enterprise Server for SAP Applications 15 SP1
SUSE Linux Enterprise Storage 6
SUSE Manager Proxy 4.0
SUSE Manager Server 4.0
SUSE Package Hub for SUSE Linux Enterprise 15 SP1
| Product(s): | |
| Definition Synopsis |
| SUSE Package Hub for SUSE Linux Enterprise 15 SP1 is installed AND Package Information
cacti-1.2.13-bp151.4.12.1 is installed
OR cacti-spine-1.2.13-bp151.4.12.1 is installed
|