[cacti-announce] Release of Cacti 0.8.8c (About Time!)

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Release of Cacti 0.8.8c

We the Cacti Group are proud to release the following:

    Cacti 0.8.8c
    Spine 0.8.8c

Important Security Fixes

 * CVE-2013-5588 - XSS issue via installer or device editing
 * CVE-2013-5589 - SQL injection vulnerability in device editing
 * CVE-2014-2326 - XSS issue via CDEF editing
 * CVE-2014-2327 - Cross-site request forgery (CSRF) vulnerability
 * CVE-2014-2328 - Remote Command Execution Vulnerability in graph export
 * CVE-2014-4002 - XSS issues in multiple files
 * CVE-2014-5025 - XSS issue via data source editing
 * CVE-2014-5026 - XSS issues in multiple files

Important Updates

 * New graph tree view
 * Updated graph list and graph preview
 * Refactor graph tree view to remove GPL incompatible code
 * Updated command line database upgrade utility
 * Graph zooming now from everywhere

Change Log

 bug#0002228: GPL incompatible files included in Cacti project in
  include/treeview
 bug#0002383: Sanitize the step and id variables CVE-2013-5588,
  CVE-2013-5589
 bug#0002385: Cannot export host templates while including dependencies
 bug#0002386: cli/upgrade_database.php is missing the last two releases
 bug#0002390: Poller/script issue with slash and backslash
 bug#0002405: SQL injection in graph_xport.php
 bug#0002431: CVE-2014-2326 Unspecified HTML Injection Vulnerability
 bug#0002432: CVE-2014-2327 Cross Site Request Forgery Vulnerability -
  Special Thanks to Deutsche Telekom CERT
 bug#0002433: CVE-2014-2328 Unspecified Remote Command Execution
  Vulnerability
 bug#0002434: Suppress SNMP UNITS Suffix from cacti_snmp_get() output
 bug#0002438: Down Host Detection issue when using SNMP Desc or SNMP getNext
 bug#0002446: Subtract plugin processing time from Poller sleep time
 bug#0002453: CVE-2014-4002 Cross-Site Scripting Vulnerability - Special
  Thanks to G. Geshev (munmap)
 bug#0002455: Incomplete and incorrect input parsing leads to remote
  code execution and SQL injection attack scenarios
 bug#0002456: CVE-2014-5025 / CVE-2014-5026 - Cross-Site Scripting
  Vulnerability - Special Thanks to Adan Alvarez and Paul Gevers
 bug: Fix COMMENT handling, even in case COMMENT is empty, with or
  without HR and with variable substitution
 bug: Fix issues when SNMP data holds a "="; "explode" must be treated
  accordingly
 bug: Fix filter highlighting on data sources for the data template field
 bug: correct description of SNMP V3 parameters
 feature: Added native jquery, jqueryui, and jstree
 feature: Fixed issues with 'Clear' under preview not working
 feature: Added new Tree navigation
 feature: Added Columns and Thumbnails to Preview
 feature: Added Columns to Tree (Preview only)
 feature: Both Graphs and Columns default to 'Default'
 feature: Resolved Left hand navigation taking entire page
 feature: Added new graph zoom to tree view and preview offering a
  "quick" (default) and an "advanced" mode

Reporting Bugs

  http://www.cacti.net/bugs.php

Download Cacti

  http://www.cacti.net/download_cacti.php

Download Spine

  http://www.cacti.net/spine_download.php

Thanks!
The Cacti Group