Lucene search

HistoryJul 28, 2020 - 12:00 a.m.

Security update for cacti, cacti-spine (moderate)






An update that fixes four vulnerabilities is now available.


This update for cacti, cacti-spine fixes the following issues:

  • cacti 1.2.13:

    • Query XSS vulnerabilities require vendor package update
      (CVE-2020-11022 / CVE-2020-11023)
    • Lack of escaping on some pages can lead to XSS exposure
    • Update PHPMailer to 6.1.6 (CVE-2020-13625)
    • SQL Injection vulnerability due to input validation failure when
      editing colors (CVE-2020-14295, boo#1173090)
    • Lack of escaping on template import can lead to XSS exposure
  • switch from cron to systemd timers (boo#1115436):

    • cacti-cron.timer
    • cacti-cron.service
  • avoid potential root escalation on systems with fs.protected_hardlinks=0
    (boo#1154087): handle directory permissions in file section instead
    of using chown during post installation

  • rewrote apache configuration to get rid of .htaccess files and
    explicitely disable directory permissions per default (only allow a
    limited, well-known set of directories)

This update was imported from the openSUSE:Leap:15.1:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

  • openSUSE Backports SLE-15-SP1:

    zypper in -t patch openSUSE-2020-1106=1