En

Cacti官网安全更新(2021-05-04)

来源:Cacti官网 发布日期:2021-05-04 阅读次数:3943 评论:0

基本信息

发布日期:2021-05-04(官方当地时间)

更新类型:安全更新

更新版本:1.2.17

感知时间:2021-05-04 00:25:09

风险等级:未知

情报贡献:TSRC

更新标题

安全更新

更新详情

security#4019: Incorrect handling of fields led to potential XSS issues
security#4022: SQL Injection was possible due to incorrect validation order (CVE-2020-35701)
security#4035: Various XSS issues with HTML Forms handling
issue: CLI scripts should not have a max allowed runtime
issue: Normalize plugin hooks between user_admin.php and user_group_admin.php
issue#1052: TimeZones are not handled correctly with Daylight Savings changes
issue#3392: Allow plugins to customize device listing page
issue#3879: Allow Graph/Data Source with custom fields to prompt during manual creation
issue#3908: When poller overruns the script server can throw errors upon shutdown
issue#3936: Editing a graph created from Aggregate Graph can fail
issue#3945: CSV export can show NaN for date if TimeZone does not match system
issue#3969: SNMPv3 Password field does not correctly limit to size of database field
issue#3976: Font colors are being overridden leading to display issues by ddb4github
issue#3977: Database upgrade may fail when using upgrade_database.php
issue#3978: Input Validation was not handled correctly when displaying graph trees
issue#3981: Missing API include leads to runtime errors in Automation
issue#3985: Collation was not always handled correctly in the database library
issue#3988: Automation raises errors when default snmp options is set to none
issue#3990: PHP Information was not being displayed properly under Tech Support
issue#3999: Ensure database audit code attempts to use passwordless options before sending credentials
issue#4001: Ensure Cacti can support PHP 8
issue#4002: Pollers may sometimes not recover properly once they go offline
issue#4005: When viewing Realtime Graphs, validation errors may be seen for Size parameter
issue#4008: Massive decrease in poller performance due to unset variable
issue#4009: Ensure number format functions are consistent for i18n usage
issue#4021: Increase maximum number of device threads
issue#4031: Secondary filters on Data Collectors and Data Profiles do not work as expected
issue#4033: Action Icons changed to be consistent with admin UI
issue#4036: During discovery, Automation can throw unexpected errors due to null values
issue#4038: When creating new graphs, a second click is required even if not needed
issue#4042: RRD Updates can become disabled when saving performance options
issue#4043: Boost can become unresponsive when large number of archive tables exist
issue#4049: Enable sensitive graph information to be hidden from standard users by datatecuk
issue#4050: When showing table conversion script, the example path can be displayed incorrectly
issue#4056: Rename "Show Exceptions" checkbox to "Only Show Exceptions" which more actually reflects its function
issue#4060: When attempting to get client address, incorrect information may be returned by stevenseeley
issue#4061: When getting date format, default options are not always honored by xmacan
issue#4066: Enable Boost to utilize multiple processes
issue#4067: Disable BOOST image caching when using Graph Zoom features
issue#4068: When viewing graphs, individual graph sizes can be ignored in favour of global default
issue#4070: Summary data can fail to calculate when the RRDfile lacks the Data Source
issue#4073: Zoom functionality can fail when a graph has lost focus.
issue#4074: Realtime Images are not always adhering to defined format
issue#4075: LDAP Settings lead to confusion when setting up LDAP authentication
issue#4076: MariaDB tuning link points to a dead URL within System Utilities
issue#4077: If user has no permissions assigned and tries to login, a redirect loop occours
issue#4079: When checking current timestamps, make audit replace mysql function usage with preferred CURRENT_TIMESTAMP variable
issue#4080: Cacti regular expression searching does not quote expressions
issue#4082: RRDtool version detection not working for RRDproxy setup
issue#4083: RRDCleaner does not support RRDproxy
issue#4086: Large system performance negatively impacted due to $spikekill_templates behavior
issue#4092: On large systems, Primary ID usage on heavily used tables will overflow due to default MySQL variable size
issue#4095: When viewing Plugins page, icons can sometimes be misaligned
issue#4098: Graphs and Data Sources lists can become unresponsive on very large systems
issue#4100: When viewing User Admins, a division by zero error can sometimes be seen
issue#4105: Allow admins to define bulk walk repetition sizes
issue#4109: Realtime graphing can sometimes cause gaps in historic data
issue#4110: Graph Variables are not always parsed correctly leading to errors in log files
issue#4116: Upgrading large trees from 0.8.x to 1.x is slow
issue#4117: Script server throws errors if a command line argument includes a backslash
issue#4119: Implicit flushing is not always enabled, depending on OS, resulting in Script Server result issues
issue#4121: LDAP search filter cannot be configured if too many OUs or filters are nested
issue#4122: Automation causes SQL syntax errors when invalid operations are present
issue#4125: On completing the installation wizard, an internal server error can sometimes be observed
issue#4126: Deleting a damaged graph can sometimes led to removal of valid graphs too
issue#4127: When updating Trees, graph titles are calculated too often leading to unresponsiveness
issue#4130: On large systens, Graph creation can become unresponsive due to large number of data sources
issue#4131: A design flaw makes importing new Graph Template slow on large systems
issue#4134: MIB Caching does not always work as expected by Kveri
issue#4135: On large Cacti installs, editing Data Templates is slow
issue#4136: When repairing database at command line, no option exists to skip table checks and force Data Source repair
issue#4141: Unusually long comments do not wrap when viewing graphs, and haven't in this CHANGELOG entry either
issue#4143: Prevent some false positive scenarios when detection orphan graphs
issue#4147: Poller items are evaluated too quickly when mixed polling cycles are used
issue#4148: Ensure automatic refresh of cacti log view works consistently
issue#4149: Ensure utilities show correct information when in offline mode
issue#4161: Data source template names should be shown in the respective "suggested values" sections
issue#4162: Allow Persistent Connections to MariaDB/MySQL to be configured
issue#4164: Unable to easily track Cacti login sessions when using database sessions
issue#4166: Auto-select text when focusing auto complete elements
issue#4169: Ensure Log Viewer 'Go' and 'Clear' buttons behave as expected
issue#4170: Enable full name tooltips for Alias/Description columns
issue#4173: Ensure Console menu icons are properly aligned
issue#4174: When using replication, ensure binary logging can be disabled
issue#4175: When syncing Templates, prevent false 'Damaged Graph' notifications from appearing
issue#4177: Simplify Graph/Template authorization searches when not using restricted mode
issue#4179: Correct class usage on Graph Sidebar Icons to be consistent
issue#4180: Remove logoff option when using basic authentication
issue#4181: Ensure realm names are more consistent
issue#4182: Allow Automatic Graph Creation to utilise Data Templates with Overriden Values
issue#4183: Processes can be terminated early due to incorrect timeout calculation
issue#4184: Ensure error logging is consistent when using CMD processor instead of spine
issue#4185: Updating Signal Handling to recommended standards for PHP 7.1+
issue#4186: When editing a Fixed String on Tree Rule it is improperly displayed as "Unknown"
issue#4187: Provide more direct method fo navigating to Data Source from Graph
issue#4188: Replacement variable names are difficult to find for Aggregate Graphs and Templates
issue#4189: Allow links from a page to its specific documentation
issue#4190: Augmenting roles can incorrectly link to roles instead of realms in rare cases
issue#4192: Devices search can return a black screen if device name contains the hash/pound # character
issue#4193: Allow command line reindex to work with disabled devices
issue#4195: When search text includes # character, filtering does not always work as expected
issue#4197: When attempting to do a rollback on versions, the installer will not restart
issue#4199: Allow Cacti administrator to define a min refresh interval to prevent graph gaps
issue#4205: When removing Data-query Associated Graph Templates, it deletes the graphs Templates from bottom to top
issue#4206: When a report was delayed, the report's time is incorrectly changed
issue#4215: Poller recovery starts multiple processes and fails to recover properly
issue#4223: Parallel boost restart due to timeout can result in errors.
issue#4227: When remote poller is in offline mode, data is written to more tables than necessary
issue#4228: Under specific circumstances, redirection issues can occur after login
issue#4229: When no snmp option is set, automation can incorrectly report a number of issues
issue#4232: Database TLS configuration requires client certificates as well
issue#4233: Potential typos and incomplete parameter lists for database connection variables
issue#4241: Tree sort mechanism does not take sites into account
feature: Add Theme 'Midwinter'
feature: Update phpseclib to version 2.0.30
feature#645: Modify automation to test for data before creating graphs
feature#3513: Add hooks for plugins to show customize graph source and customize template url
feature#3572: Missing prompts during automation's device creation leads to blank data
feature#4012: Allow CSRF security key to be refreshed at command line
feature#4013: Allow remote pollers statistics to be cleared
feature#4113: Allow user to be automatically logged out after admin defined period by datatecuk
feature#4176: When replicating, ensure Cacti can detect and verify replica servers
feature#4210: Replace c3.js with billboard.js

软件描述

Cacti是一套基于PHP,MySQL,SNMP及RRDTool开发的网络流量监测图形分析工具。

CVE编号

TSRC分析

暂无

业界资讯

暂无

评论

提交评论 您输入的评论有误,请重新输入