cacti (0.8.8b+dfsg-8) unstable; urgency=high * CVE-2014-5261 Unsufficient input sanitation leads to shell command injection possibilities * CVE-2014-5262 Incomplete and incorrect input parsing leads to SQL injection attack scenarios * Fix for CVE-2014-5043 was incomplete, improve patch * Change CVE-2014-4002 patch to include upstream updated commits -- Paul Gevers Mon, 18 Aug 2014 19:57:43 +0200 cacti (0.8.8b+dfsg-7) unstable; urgency=medium * Fix regression caused by fixing CVE-2014-4002 at least plugin autom8 was unusable (Closes: #755032) * Security update - CVE-2014-5025 Cross Site Scripting Vulnerability - CVE-2014-5026 Cross Site Scripting Vulnerability - CVE-2014-5043 Cross Site Scripting Vulnerability -- Paul Gevers Thu, 24 Jul 2014 21:56:48 +0200 cacti (0.8.8b+dfsg-6) unstable; urgency=high * Add alternative php5-mysql | php5-mysqlnd (Closes: #744067) * Security update (Closes: #742768, #752573) - CVE-2014-2327 Cross Site Request Forgery Vulnerability - CVE-2014-4002 Cross-Site Scripting Vulnerability -- Paul Gevers Wed, 25 Jun 2014 22:33:53 +0200 cacti (0.8.8b+dfsg-5) unstable; urgency=high * Fix postinst for lighttpd setups which fail on update due to lighty-enable-mod exiting with non-zero if config is already loaded (Closes: 743727) -- Paul Gevers Sun, 06 Apr 2014 19:59:12 +0200 cacti (0.8.8b+dfsg-4) unstable; urgency=high * Security update (Closes: 743565) - CVE-2014-2326 Cross-site scripting (XSS) vulnerability - CVE-2014-2328 Unspecified Remote Command Execution Vulnerability - CVE-2014-2708 SQL injection - CVE-2014-2709 Unspecified Remote Command Execution Vulnerability * Bump standards (no changes needed) * Fix VCS-Browser field * Fix license paragraph of jstree (Thanks lintian) -- Paul Gevers Sat, 05 Apr 2014 13:03:22 +0200 cacti (0.8.8b+dfsg-3) unstable; urgency=low * Fix Cross site scripting (upstream bug 2383) CVE-2013-5588 * Fix SQL injection in host.php (upstream bug 2383) CVE-2013-5589 * Fix upgrade script in cli directory for latest releases * Automatically upgrade database during package update (prevents upstream bug 2377) * The code to enable lighttpd configuration from LP: #1132415 was broken -- Paul Gevers Tue, 27 Aug 2013 20:43:21 +0200 cacti (0.8.8b+dfsg-2) unstable; urgency=low * CVE-2013-1435 fix cause a regression in the handling of empty COMMENT lines in the rrd legend. Fixed by upstream: fix_COMMENT_in_graph_regression_from_CVE-2013-1435.patch (Closes: #719156) * Update jquery stylesheet to provide the cacti background color -- Paul Gevers Fri, 09 Aug 2013 22:34:26 +0200 cacti (0.8.8b+dfsg-1) unstable; urgency=low * New upstream release - Fixes SQL or command line injection via snmp settings or graph creation or edition that allows privileged users to execute arbitrary SQL commands or command line commands. CVE-2013-1434 and CVE-2013-1435 - poller_cache_rebuild_on_install.patch included * Add d/rules get-orig-source target and accompanying script * Update japanese translation, thank victory (Closes: #717203) * Update vcs-* fields (thanks lintian) * Update standards (no changes needed) * Update years and my address in d/copyright * Allow any php5 SAPI provider to satify cacti dependency, thanks Ondřej Surý (php5 maintainer). Thus reverting the solution to bug #654843 as the original report was not a bug but a reporter mistake. libapache2-mod-fcgid does not provide php5 SAPI. -- Paul Gevers Wed, 07 Aug 2013 20:46:58 +0200 cacti (0.8.8a+dfsg-7) unstable; urgency=low * Fix typo in cacti.postrm which prevented proper purging (Closes: #707010) * Update use_jquery_for_debian.patch to not load jquery-cookie if it is not installed on the system (Closes: #708001) -- Paul Gevers Sat, 18 May 2013 12:14:02 +0200 cacti (0.8.8a+dfsg-6) unstable; urgency=low * Improve maintenance scripts - Prepare cacti configuration for Apache2.4 according to http://wiki.debian.org/Apache/PackagingFor24 - Improve cacti.config to fix dpkg-reconfigure behavior for httpd's. - Restart lighttpd if needed (LP: #1132415) - Remove obsolete (Sarge) preinst code * Fix the lighttpd config template for absolute path (see LP: #1132415) * Lintian triggered improvements: - Update watch file for +dfsg in the version - Add dependency on mysql-client (next to virtual-mysql-client) * Bug fixes: - Add patch loadavg_multi_locale_friendly.patch to allow uptime script to work independent of the local locale (Closes: #704057) - Add patch fix_php_strict_warning_in_ping.patch to fix php 5.4 warnings (Closes: #694159) - Add patch poller_cache_rebuild_on_install.patch to start filling the auto-generated graphs upon installation (Upstream: 2229) * Move configuration files away from /usr/share/doc/cacti (policy 12.3) * Remove obsolete RM-Upload-Allowed from d/control * Revisited README.Debian -- Paul Gevers Sun, 05 May 2013 16:41:13 +0200 cacti (0.8.8a+dfsg-5) unstable; urgency=low * Update debian/NEWS.Debian to explain the recommended packages for the tree, which seem to be not installed by default upon upgrade, and make sure it is actually installed. -- Paul Gevers Thu, 11 Apr 2013 19:57:35 +0200 cacti (0.8.8a+dfsg-4) unstable; urgency=low * Improve jquery tree patch to show trees multilevel (Closes: #702690) -- Paul Gevers Mon, 01 Apr 2013 08:03:11 +0200 cacti (0.8.8a+dfsg-3) unstable; urgency=low * Fixed typo in recommends libjs-jquery* i.s.o. libjs-query (Closes: #700999) -- Paul Gevers Tue, 19 Feb 2013 20:33:20 +0100 cacti (0.8.8a+dfsg-2) unstable; urgency=low * Upload to unstable after acknowledge by the RT, see #694850. -- Paul Gevers Tue, 29 Jan 2013 20:41:05 +0100 cacti (0.8.8a+dfsg-1) experimental; urgency=low * Removed non-dfsg-free treeview code from the upstream source (Closes: #679980) * Add jquery.jstree.js and four jstree theme files to the package to replace the treeview functionality * Update d/copyright to reflect above changes * Add patches to use the jstree code - replace_treeview_by_jquery.jstree.patch - use_jquery_for_debian.patch * Add libjs-jquery and libjs-jquery-cookie to recommends as they are needed by jstree. * Remove the logic to install plugins in /usr/local/share/cacti/plugins as the implementation of chdir in php resolves symlinks (Closes: #681558). - Update README.Debian and add NEWS.Debian and README.Plugins - Update d/cacti.links and d/cacti.install * Update my e-mail address to elbrus@debian.org -- Paul Gevers Mon, 10 Dec 2012 22:48:48 +0100 cacti (0.8.8a-3) unstable; urgency=low * Update postrm with new debconf answers (Closes: #673764) -- Paul Gevers Mon, 21 May 2012 20:22:18 +0200 cacti (0.8.8a-2) unstable; urgency=low * Use ts to timestamp poller errors in cron when available and add moreutils to suggests. * Add suhosin.memory_limit to cron and poller (Closes: #566609) * Add dependency on ${perl:Depends} as the dependency on perl was missing * Use a template based on config.php for debian.php creation to include non-database options and get rid of 01_config.php.patch by creating link to debian.php instead. Update two dependent patches. * Add different sub folders to local resource in d/dirs * Add cacti.sql_ensure_cron_works.patch to prevent failure of crontab after install as the paths to rrdtool and php are not set. * Add cacti.sql_drop_tables_to_begin.patch patch to work around bug 665742 where dbconfig-common does not drop the tables during reconfigure so we have to do it on population of the database to prevent errors. * Update d/copyright to include proper license info for jscalendar and treeview (this last one needs action). Also update Cacti's license as it has been GPL-2+ all along. * Readded debconf question option for lighttpd lost in commit 98fed9b while preventing the need to call for new translations. Use lower-case apache2 and lighttpd as package names at the same time. * Update 08_563955_local_data_id.patch with upstream bug number * Improve rra removal on purge (one higher level directory) in postrm -- Paul Gevers Sat, 19 May 2012 07:56:04 +0200 cacti (0.8.8a-1) unstable; urgency=low * New upstream release. - Now includes plugin architecture (Closes: #406766) - Don't use define_syslog_variables() (Closes: #668261) - Allow external auth behind proxy (Closes: #660853) * Update patches, remove last two now applied upstream * Update d/watch to prevent selection of PIA tar ball * Repaired old entries in d/changelog where non-ascii characters got mangled * Remove d/s/local-options as they are for, well, local options * Make link to cacti.sql instead of copying data again * Remove unnecessary directories from dirs as they are generated as needed * Clean up of debian rules for short-hand dh - Moved permission and ownership fixes to override_dh_fixperms - Use 644 and 755 instead of 640 and 750 as per policy (except for rra) - Remove lib/adodb on clean (instead of build) - Use debian/cacti.install to define which files to install where * d/post(rm|inst) now also (un)registers with ufcr and clean-up of long obsolete /etc/cacti/default-poller * Append error output of poller to poller-error.log i.s.o overwriting (Closes: #669339) and make sure the ownership/permissions are right * Update README.Debian with info about plugin architecture -- Paul Gevers Tue, 01 May 2012 09:57:18 +0200 cacti (0.8.7i-3) unstable; urgency=low [ Mahyuddin Susanto ] * debian/patches/01_config.php.patch: refreshed to fix error on upgrade because /etc/cacti/debian.php has been rewrite during installation. (Closes: #654352), Thanks to Michael Reincke. * debian/control: Move apache to recommends to allow other web-server to be installed. (Closes: #654843) * debian/cacti.templates: Updated debconf template and package description, suggested by debian-l10n-english. (Closes: #653897) * Update debconf translations: - Spanish by Javier Fernández-Sanguino Peña (Closes: #656405) - French by Christian Perrier (Closes: #657280) - Polish by Michał Kułach. (Closes: #657294) - Danish by Joe Hansen. (Closes: #657339) - Dutch by Jeroen Schot. (Closes: #657468) - Swedish by Martin Bagge. (Closes: #657546) - Indonesian by Mahyuddin Susanto. (Closes: #657609) - Russian by Yuri Kozlov. (Closes: #657705) [ Sean Finney ] * Remove lighttpd.conf at postrm purge time * Add Paul Gevers to Uploaders field [ Paul Gevers ] * More updated debconf translations, thanks to Christian Perrier. - German (Chris Leick). (Closes: #658396) - Czech (Miroslav Kure). (Closes: #658752) - Portuguese (Rui Branco). (Closes: #659167) - Italian (Beatrice Torracca). (Closes: #659401) - Basque (Iñaki Larrañaga Murgoitio). (Closes: #660641) * Bump Standard-Version to 3.9.3 (no changes). * session_unregister was removed in php 5.4, add patch 11_remove_deprecated_session_unregister (Closes: #665280) * Update d/rules to fix changed output from /usr/bin/file for PHP executable files (Closes: #665243) -- Paul Gevers Thu, 29 Mar 2012 20:55:17 +0200 cacti (0.8.7i-2) unstable; urgency=low * Cherry-pick upstream patches - debian/patches/10_settings_checkbox.patch * debian/patches/05_no-adodb.patch: Updates, add semicolon at line 190. (Closes: #653863) * Updated last changelog to mention security bug. -- Mahyuddin Susanto Mon, 02 Jan 2012 14:11:15 +0700 cacti (0.8.7i-1) unstable; urgency=low * New upstream release. (Closes: #642971) - Fix Ping query. (Closes: #616320, #561488) - Fix SQL injection issue in auth_login.php (Closes: #652371) this is CVE-2011-4824 * debian/control: - Bump Standard-Version to 3.9.2, no source changes. - Change Maintainer to pkg-cacti. (Closes: #613857) - Add Sean and myself as uploaders. - Change Vcs-* to pkg-cacti. * debian/copyright: Rewriting as per dep5 format. * debian/source: Added to mentioning quilt patch system. * debian/README.source: Deleted, not needed anymore * debian/patches/09_use-utf8.patch: Use UTF-8 while creating database and producing RRD, Thanks to Slavko . (Closes: #604395) * Refreshed pathces: - debian/patches/01_config.php.patch - debian/patches/05_no-adodb.patch - debian/patches/06_config_settings.php_cactid_path.patch - debian/patches/07_cli-include-path.patch (Closes: #604396) - debian/patches/08_563955_local_data_id.patch (Closes: #563955) * Drop patches apllied upstream: - 606062_ping.pl.patch - data_source_deactivate.patch - graph_list_view.patch - html_output.patch - ldap_group_authenication.patch - ping.patch - poller_interval.patch - script_server_command_line_parse.patch * Add Lighttpd support: - debian/docs: updated - debian/cacti.lighttpd.conf: added - debian/cacti.{postinst|postrm|templates}: updated -- Mahyuddin Susanto Fri, 30 Dec 2011 16:47:42 +0700 cacti (0.8.7g-2.1) unstable; urgency=low * Non-maintainer upload. * Fix pending l10n issues. Debconf translations: - French (Christian Perrier). Closes: #614903 - German (Chris Leick). Closes: #619663 - Russian (Yuri Kozlov). Closes: #623795 - Indonesian (Mahyuddin Susanto). Closes: #623886 - Japanese (Hideki Yamane). Closes: #624821 - Danish (Joe Hansen). Closes: #625482 - Dutch; (Luk Claes). Closes: #625529 - Spanish; (Francisco Javier Cuadrado). Closes: #627032 - Swedish (Martin Bagge / brother). Closes: #628928 - Czech (Miroslav Kure). Closes: #631596 - Basque (Ander Goñi). Closes: #631900 - Portuguese (Rui Branco). Closes: #631982 -- Christian Perrier Wed, 29 Jun 2011 06:57:56 +0200 cacti (0.8.7g-2) unstable; urgency=low * import 2 new "official" upstream patches * Cherry-pick upstream fix for ping output parsing (Closes: #606062). * Lintian: - Update Standards-Version to 3.9.1 (no changes necessary) - Bump versioned Build-Dep on debhelper to >= 5 - Update config and postrm maintainer scripts to run with set -e - Remove un-needed chmodding of php files in debian/rules - Ensure the non-php files in the scripts dir are executable - Update debconf template description to remove question from text. - Selectively fix executable permissions on some files in the cli dir - Include a README.source mentioning quilt * Update debconf choices and default value for webserver configuration * Update all debian/po files after changing debconf template -- Sean Finney Sun, 20 Feb 2011 15:33:58 +0100 cacti (0.8.7g-1) unstable; urgency=low * New upstream release (Closes: #592465). * Update context in 05_no-adodb.patch to remove fuzz. * Remove "official" patches from previous release. * Remove 563955_undefined_index_local_data_id.patch, incorporated upstream. * Remove CVE-2010-2092.patch, incorporated upstream. * Import new batch of "official" upstream patches. * Update apache configuration to work in FastCGI deployments (Closes: #593203). - thanks to Thijs Kinkhorst (Closes: #578909). -- Sean Finney Tue, 17 Aug 2010 22:22:02 +0200 cacti (0.8.7e-4) unstable; urgency=high * Forward-port fix for CVE-2010-2092 from stable package (Closes: #582691) -- Sean Finney Fri, 11 Jun 2010 21:08:02 +0000 cacti (0.8.7e-3) unstable; urgency=high * Import upstream fix for SQL injection vulnerability (no CVE assigned yet) - thanks to Thijs Kinkhorst (Closes: #578909). -- Sean Finney Sat, 24 Apr 2010 17:54:20 +0200 cacti (0.8.7e-2) unstable; urgency=low * Import 2 new "official" patches from upstream * Italian debconf translation - thanks to Alessandro De Zorzi (Closes: #548447) * Fix for "Undefined index: local_data_id in graphs_new.php" - new debian patch 563955_undefined_index_local_data_id.patch - thanks to Teodor MICU (Closes: #563955) * Fix for "must not RE-add /etc/apache2/conf.d/cacti.conf link on upgrade" - thanks to Patrick Schoenfeld (Closes: #561477) * Bump debhelper compatibility level to 5 -- Sean Finney Sun, 24 Jan 2010 21:39:46 +0100 cacti (0.8.7e-1) unstable; urgency=low * New upstream release (Closes: #541490). [ Sean Finney ] * fix path to global.php in cli scripts (Closes: #525024). - thanks to Jean-François Masure * add a watch file to track upstream updates (Closes: #527066). - thanks to Laurent Bigonville * downgrade Depends on logrotate to a Recommends (Closes: #526997). - thanks to Russ Allbery * updates to (eu,ru,ja) debconf translations - eu: Piarres Beobide (Closes: #535636). - ru: Yuri Kozlov (Closes: #535820). - ja: Hideki Yamane (Debian-JP) (Closes: #546229). [ Sander Klein ] * Change location of docs/text to docs/txt * Removed 'Official' patches for 0.8.7d since they are not needed anymore * Import 'Official' patches for 0.8.7e * Make cli-include-path.patch apply * use ':' with chown instead of deprecated '.' * suggested spelling/grammar changes from lintian for ./debian/control -- Sean Finney Mon, 14 Sep 2009 23:42:32 +0200 cacti (0.8.7d-1) unstable; urgency=low * Imported Upstream version 0.8.7d * update/massage/remove patches for new upstream release * import new "official" patches for 0.8.7d * remove obsolete dependencies on php4 packages (Closes: #514342) * update default apache config php options (Closes: #459594) * add Homepage field to control file (Closes: #494811) * add Suggests: php5-ldap for ldap authentication (Closes: #496854) - thanks to Paul Nijjar * call ucf with --debconf-ok in postinst * copy cli directory to /usr/share/cacti (Closes: #483556) * add gbp.conf for git-buildpackage and friends -- Sean Finney Sun, 29 Mar 2009 17:51:10 +0200 cacti (0.8.7b-2) unstable; urgency=low * ack previous NMU, thanks Andreas. * cacti packaging now in public git repository, updated Vcs-foo headers in debian/control appropriately. * update Standards-Version to 3.7.3. * New upstream "official" patch: official_invalid-upgrade-path.patch * New upstream "official" patch: official_snmp_auth_none_notice.patch -- Sean Finney Sat, 22 Mar 2008 23:58:08 +0100 cacti (0.8.7b-1.1) unstable; urgency=low * Non-maintainer upload. * Move ucf call in cacti.postinst above db_stop to fix freeze during installation. (Closes: #470066) -- Andreas Henriksson Mon, 17 Mar 2008 12:52:17 +0100 cacti (0.8.7b-1) unstable; urgency=high * New upstream release. Fixes multiple security vulnerabilities (no CVE references yet). Closes: #465567. Thanks to Alessandro Ogier for the suggestion about the overzealous PHP_SELF checking. -- Sean Finney Wed, 13 Feb 2008 23:30:31 +0100 cacti (0.8.7a-2) unstable; urgency=high * Update errors in copyright information (closes: #457366). -- Sean Finney Sun, 30 Dec 2007 22:56:17 +0100 cacti (0.8.7a-1) unstable; urgency=high * New upstream release, including fixes for bugs and security issues. Includes fix for CVE-2007-6035 (sql injection vulnerability) Closes: #452085. -- Sean Finney Tue, 20 Nov 2007 18:20:13 +0100 cacti (0.8.7-1) unstable; urgency=low * New upstream release. * updated 06_config_settings.php_cactid_path.patch with an extra fix for the cacti logfile path. -- sean finney Wed, 24 Oct 2007 20:15:19 +0200 cacti (0.8.7~beta4-1~pre) experimental; urgency=low * New upstream (beta) release * Removed "official" patches incorporated into upstream version: - 07_official_graph_debug_lockup_fix.patch - 07_official_ping_php_version4_snmpgetnext.patch - 07_official_thumbnail_graphs_not_working.patch - 07_official_tree_console_missing_hosts.patch * updated 06_config_settings.php_cactid_path.patch to use FHS compatible locations as default values, removing the need for shipping compatibility symlinks (closes: #366662). * updated list of upstream docs and changelog location. * Package now uses quilt instead of dpatch for add-on patch managment. -- sean finney Tue, 09 Oct 2007 19:39:49 +0200 cacti (0.8.6j-1) unstable; urgency=low * New upstream release. Any further etch-targeted changes will be handled in a seperate branch. * The following patches are now obsolete: - 07_official_poller_output_remainder.dpatch - 07_official_import_template_argument_space_removal.dpatch - 07_official_dec06-vulnerability-scripts-0.8.6i.dpatch - 07_official_dec06-vulnerability-poller-0.8.6i.dpatch - 08_svn_timespan_breakage_fix.dpatch * The following new "official" patches are added: - 07_official_graph_debug_lockup_fix.dpatch - 07_official_ping_php_version4_snmpgetnext.dpatch - 07_official_thumbnail_graphs_not_working.dpatch - 07_official_tree_console_missing_hosts.dpatch -- sean finney Tue, 06 Mar 2007 19:00:03 +0100 cacti (0.8.6i-4) unstable; urgency=medium * don't unconditionally source the dbconfig-common helper script in the cacti config script, which would at least require a pre-depends, but ultimately isn't necessary (closes: #408550). -- sean finney Fri, 26 Jan 2007 23:25:11 +0100 cacti (0.8.6i-3) unstable; urgency=high * include the list of official patches from upstream which (among other things) resolves multiple vulnerabilities in the poller and default scripts (Closes: 404818). thanks to Alex de Oliveira Silva for reporting this, and Neil McGovern for a bit of consultation. * security references: - SA23528, CVE-2006-6799 * also include one extra changeset from svn which fixes a regression introduced in the security patch. * new patches: - 07_official_dec06-vulnerability-scripts-0.8.6i.dpatch - 07_official_dec06-vulnerability-poller-0.8.6i.dpatch - 07_official_poller_output_remainder.dpatch - 07_official_import_template_argument_space_removal.dpatch - 08_svn_timespan_breakage_fix.dpatch -- sean finney Mon, 15 Jan 2007 15:36:25 +0100 cacti (0.8.6i-2) unstable; urgency=low * let cacti know where the cactid binary is, since it doesn't seem to have a reasonable default an longer. -- sean finney Mon, 30 Oct 2006 23:18:55 +0100 cacti (0.8.6i-1) unstable; urgency=low * new upstream release * no longer need the following patches: - 06_official-fix_search_session_clear_issue.dpatch - 07_official-fix_sql_syntax_related_to_default_rra_id.dpatch - 08_official-mysql_5x_strict.dpatch - 09_official-nth_percentile_empty_return_set_issue.dpatch - 10_official-database_autoincrement_corruption.patch.dpatch -- sean finney Sat, 28 Oct 2006 15:05:46 +0200 cacti (0.8.6h-6) unstable; urgency=low * fix up debian/rules targets to comply with policy (closes: #395584). * change build-depends-indep to build-depends for targets needed in the clean rule. * update standards-version to 3.7.2 -- sean finney Fri, 22 Sep 2006 21:39:12 +0200 cacti (0.8.6h-5) unstable; urgency=low * fix for braindead bug in postrm script introduced by yours truly. fixed a bashism in there while i was at it (closes: #387540). thanks to Olivier Berger for finding this. * fix for non-essential dependencies (dbconfig-common) in the config script (closes: #388214). * updated portuguese brazillian templates, thanks to Andre Luis Lopes for providing them (closes: #374020). -- sean finney Fri, 22 Sep 2006 21:04:19 +0200 cacti (0.8.6h-4) unstable; urgency=low * updated dependencies to allow any httpd-providing daemon to satisfy the requirements for cacti. that doesn't necessarily mean any httpd will work, but i've heard from at least one report that others do, and i'd like to make it easier for others to test. closes: #373886. * updated postrm to handle cases where it's being purged without its dependencies present. -- sean finney Tue, 29 Aug 2006 09:35:34 +0200 cacti (0.8.6h-3) unstable; urgency=low * official patch from upstream to fix database corruption and display some users were having as a result of the differing version of adodb in debian vs. the bundled version in cacti. thanks to the upstream authors for their help addressing the issue, and to Rene Cunningham for testing out the initial version of the patch. (closes: #364391, #351342) * added note to README.Debian about potential unmet dependencies in mixed php4/php5 environments (thanks to Uwe Storbeck), and also about checking the cli configuration for the required modules (thanks to Troy Poppe), and also about potential problems with the cli poller and safe_mode (thanks to Birger Brunswiek) (closes: #359964). * update package description to mention that it's likely that mysql-server should also be installed unless cacti is to be configured against a remote database system (closes: #349754). * added a note to README.Debian about the initial user/pass, at the suggestion of Jonas Genannt, thanks. (closes: #352724). * changed package dependencies to list apache2 as the first of the series of apache-providing packages, and likewise reordered the php/apache modules (closes: #356843). * updated version of 08_official-mysql_5x_strict.dpatch which fixes the breakage in ldap authentication reported by Matt Clauson, thanks. (closes: #354663) -- sean finney Tue, 25 Apr 2006 19:30:50 +0200 cacti (0.8.6h-2) unstable; urgency=low * incorporated the following official upstream patches: - 06_official-fix_search_session_clear_issue.dpatch - 07_official-fix_sql_syntax_related_to_default_rra_id.dpatch - 08_official-mysql_5x_strict.dpatch - 09_official-nth_percentile_empty_return_set_issue.dpatch * updated german debconf translation, thanks to Mathias Klein (closes: #345786). * typographical corrections to package description, thanks to Jens Siedel (closes: #346007). -- sean finney Mon, 16 Jan 2006 16:02:44 +0100 cacti (0.8.6h-1) unstable; urgency=low * new upstream release. * upstream now officially supports mysql-5.0 (closes: #336531). * updated README.Debian with some information about zombie mysql processes that some users have been experiencing when viewing graphs (closes: #344519). * updated 01_config.php.dpatch and 05_no-adodb.dpatch to apply to new upstream version. * removed "official" patches which are now incorporated into the new upstream release: - 06_official-short_open_tag_parse_error.dpatch - 07_official-graph_properties_zoom.dpatch - 08_official-script_server_snmp_auth.dpatch - 09_official-mib_file_loading.dpatch * added a db_stop to the postinst to help prevent hangs when restarting apache2. -- sean finney Fri, 06 Jan 2006 08:24:29 +0100 cacti (0.8.6g-3) unstable; urgency=low * cacti now uses dbconfig-common, and thus once again ships with automagical database support. * Portuguese translation for cacti's debconf messages by LuíFerreira (closes: #336836). * new Swedish translations from Daniel Nylander (closes: #338668). -- sean finney Thu, 01 Dec 2005 14:59:40 +0100 cacti (0.8.6g-2) unstable; urgency=low * updated dependencies to allow working with the php5 family of packages. * new spanish debconf translations from César Gómez Martín and the debian-l10n-spanish mailing list (closes: #334384). * added a note to README.Debian about possible breakage if rrdtool is upgraded without changing cacti settings (closes: #335737). -- sean finney Sat, 29 Oct 2005 12:58:39 +0200 cacti (0.8.6g-1) unstable; urgency=low * new upstream release. * upstream has re-implemented the limited snmpv3 support that previously existed but was later removed (closes: #301165). * removed patches that are now incorporated upstream: - 03_dos2unix_on_scripts - 06_cmd-snmp-data-sanity-fixes - 07_snmp_alternate_port * added the current list of upstream patches: - 06_official-short_open_tag_parse_error - 07_official-graph_properties_zoom - 08_official-script_server_snmp_auth - 09_official-mib_file_loading -- sean finney Sat, 24 Sep 2005 10:10:15 -0400 cacti (0.8.6f-5) unstable; urgency=low * fix cacti to explicitly depend on versions of libphp-adodb starting at the version which silently changed the path. thanks to Mark Sheppard and Javier Fernández-Sanguino Peña for independantly pointing this out (closes: #322707, #325376). * fix cacti to depend on "virtual-mysql-client" virtual package, to allow cacti to co-exist with the new mysql-5.0 series of packages. thanks to Miah Gregory for pointing this out (closes: #326011). -- sean finney Fri, 02 Sep 2005 05:55:46 -0400 cacti (0.8.6f-4) unstable; urgency=low * cacti now properly depends on debconf. -- sean finney Mon, 08 Aug 2005 13:23:24 -0400 cacti (0.8.6f-3) unstable; urgency=low * fix to allow xml based check templates to work for hosts running snmp on an alternate port. thanks to Justin Hallet for the patch (closes: #317689). * for posterity, the security fixes included in 0.8.6e-1 addressed the following CVE id's: - CAN-2005-1524 (idefense remote file inclusion) - CAN-2005-1525 (idefense SQL injection) - CAN-2005-1526 (idefense remote code execution) * updated include path for adodb configuration (closes #320782), thanks to loïc lefort for reporting this. -- sean finney Mon, 01 Aug 2005 13:33:05 -0400 cacti (0.8.6f-2) unstable; urgency=high * new version of the upstream 'sanity checking' patches introduced in 0.8.6e-2 (closes: #317253). * the updated Czech debconf translation from Martin Sín somehow got mixed up with the debconf translation for mysql. fixed. (closes: #317137). * for posterity, the security updates included in the previous update have the following CAN numbers assigned to them: - CAN-2005-2148 (hardened-php advisories 032005 and 042005) - CAN-2005-2149 (hardened-php advisory 052005) * even though it's been like 5 days, and the previous version's urgency was set to high, it has not entered testing, so urgency will remain at this level. -- sean finney Thu, 07 Jul 2005 08:05:17 -0400 cacti (0.8.6f-1) unstable; urgency=high * new upstream release. * this new version addresses the following security issues reported by the php-hardened project: - 032005: Cacti Multiple SQL Injection Vulnerabilities - 042005: Cacti Remote Command Execution Vulnerability - 052005: Cacti Authentication/Addslashes Bypass Vulnerability -- sean finney Sat, 02 Jul 2005 01:11:18 -0400 cacti (0.8.6e-2) UNRELEASED; urgency=high * updated standards version to 3.6.2 * patch for sanity checking of some of the cached database information, which sometimes causes cmd.php based poller checks to hang and eventually fail. -- sean finney Tue, 28 Jun 2005 00:54:57 -0400 cacti (0.8.6e-1) unstable; urgency=high * new upstream release. * this release contains fixes for the arbitrary sql injection and input validation vulnerabilities discovered in 0.8.6d. * new Vietnamese debian translations from Clytie Siddall (closes: #313190). * removed obsolete (and poorly written) debconf templates. thanks to Clytie Siddall for pointing these out (closes: #313191). * updated Czech debconf translation from Martin Sín (closes: #314620). * lintian fixes: - include debhelper macro in preinst - changelog converted to UTF-8 format. - overrides file introduced, to ignore permissions on rra dir. -- sean finney Mon, 20 Jun 2005 22:30:05 -0400 cacti (0.8.6d-1) unstable; urgency=low * new upstream release. * removed "official patches" patch, as they are now included in this version. * the adodb code is now removed from the build tree instead of being patched out of the source, which makes things a bit cleaner in the long run. * document how to login after installation. thanks to Jari Aalto for mentioning this omission (closes: #309619). * initial czech translation for cacti, thanks to Martin Sin (closes: #311095). * have the cronjob output stderr to a logfile instead of stdout. thanks to Daniel van Eeden for helping find the best solution to this (closes: #309425). -- sean finney Sat, 28 May 2005 19:42:30 -0400 cacti (0.8.6c-8) unstable; urgency=low * import of upstream patches was b0rken. should be fixed up in this release. * removed the adodb code, as we're allready depending on libphp-adodb, and should have been using that instead this whole time. i also updated the include statement in config.php to include adodb from its new location. * only change ownership/permissions of debian.php the first time it is created (which should prevent local ownership/permission changes later on from being silently overwritten) * don't mask errors when you can't include debian.php * don't throw away stderr from cacti's cron.d file, and change MAILTO to send mail to root (otherwise it'd go to www-data). thanks for this and the preceding two fixes go to Mark Sheppard (closes: #309194). -- sean finney Wed, 11 May 2005 17:54:51 -0400 cacti (0.8.6c-7) unstable; urgency=low * brought in the rest of the patches from the upstream authors. this should fix the problem with graphing negative numbers, as reported by Kelly Brown (closes: #305561). * updated dependency on php4-mysql to be versioned, to make dependencies work better for woody users. thanks to Vittorio R Tracy for mentioning this (closes: #302563). -- sean finney Wed, 06 Apr 2005 20:03:27 -0400 cacti (0.8.6c-6) unstable; urgency=low * updated french debconf translations, thanks for this to Christian Perrier (closes: #299895). * updated portuguese brazillian templates, thanks to Tiago Bortoletto Vaz (closes: #301499). * include upstream patch to fix tree browsing when authentication is turned off. thanks to Hannu Teulahti (closes: #300843). * strip ^M's from the scripts, as it can mess up execution according to Fred Blaise , thanks (closes: #300845). * debian.php is now managed via ucf. * generate_config is now always called in the postinst, so calling dpkg-reconfigure should regenerate the contents of the config file. thanks to Mickael Marchand (closes: #300876). * correction in README.Debian, thanks to Miah Gregory and all the other people who emailed me about this. (closes: #299834). * no longer depend on wwwconfig-common, only support the conf.d style of apache configuration. this should as a side effect resolve the bug reported by Tiago Bortoletto Vaz (closes: #289156). -- sean finney Tue, 29 Mar 2005 22:00:28 -0500 cacti (0.8.6c-5) unstable; urgency=high * oops, let's not rm -rf the old scripts directory in the preinst, instead try to remove the directory or fail gracefully if there are still things in there. thanks and an apology are due to Gérald GARCIA (closes: #300449). this is a grave severity bug, so urgency set to high. * README.Debian updated to mention where custom user scripts should go, so that they can stay out of my reach :) -- sean finney Mon, 21 Mar 2005 06:12:21 -0500 cacti (0.8.6c-4) unstable; urgency=high * turns out removing the symlink wasn't as easy, need to do a couple extra things in the preinst otherwise dpkg will keep and follow the symlink according to debian policy. * minor fixes in the templates. -- sean finney Sun, 06 Mar 2005 12:21:01 -0500 cacti (0.8.6c-3) unstable; urgency=high * José de Paula Eufrásio Júnior found that there's some voodoo with ereg that doesn't work in some locales unless mbstring.func_overload is set to 0. this prevents cacti from installing, which gave the bug a grave severity, thus again the high urgency. sigh. thanks, josé (closes: #298102). * the script dir can't be a symlink after all, because it breaks php scripts. thanks to Bernardo Achirica for finding this out (closes: #298032). -- sean finney Fri, 04 Mar 2005 23:24:17 -0500 cacti (0.8.6c-2) unstable; urgency=high * removed unneccesary poller debconf cruft. * otherwise the same as -1, but to unstable and urgency set to high as foretold in the previous changelog entry (closes rc bug). -- sean finney Thu, 03 Mar 2005 14:21:01 -0500 cacti (0.8.6c-1) experimental; urgency=low * new upstream release (closes: #271661). * the cacti source package no longer produces cacti-cactid, which is provided by a seperate upstream tarball. * cacti site stuff now in /usr/share/cacti/site, which frees up /usr/share for non-site related stuff. * automagical install/upgrades of the mysql database are disabled for the time being. see README.Debian for the rationale. * start to bring in ucf for managing config files. * no longer have a need for /etc/cacti/default-poller, as this is now handled completely inside the application (closes: #292365). * rrd files are now stored in /var/lib/cacti/rra, as they can not be reconstituted from scratch. this closes an rc bug, so priority on this package will be set to high when it goes into unstable, which will be the next upload (closes: #297470). * documentation provided for what you need to do if you're upgrading from a 0.6.x version of cacti. i can't guarantee that it will work, but it did for me, and this is probably the best you're going to get (closes: #226404). * various README.Debian updates. * cacti online documentation now made online to symlinking to where it already exists in /usr/share/doc. -- sean finney Fri, 25 Feb 2005 19:26:57 -0500 cacti (0.8.5a-9) unstable; urgency=low * new maintainer has adopted the package (closes: #292770) * fixed dependencies against mysql-client, so cacti now depends mysql client or mysql-client-4.1 (i'm hesitant to use virtual-mysql-client since i think mysql-client < 3.23 might not work). thanks to Robert Loomans , Olaf van der Spek , and the mysql maintainer Christian Hammers for pointing this out. (closes: #293750, #285002). * no longer use delaycompress in the logrotate script, since there's not much use to leaving it uncompressed by default and it's a lot of data. thanks, Gustavo Franco (closes: #275045). -- sean finney Sat, 19 Feb 2005 19:37:54 -0500 cacti (0.8.5a-8) unstable; urgency=high * Update pt_BR, nl debconf translations. (Closes: #270277, #270787) -- Thorsten Sauter Sat, 11 Sep 2004 00:18:12 +0200 cacti (0.8.5a-7) unstable; urgency=low * Update french translation. (Closes: #268801) * Checking for short tags in cacti/debian.php and fix them if needed. (Closes: #269480) * debian/README.Debian: add a new section about php short tags -- Thorsten Sauter Thu, 2 Sep 2004 23:27:27 +0200 cacti (0.8.5a-6) unstable; urgency=high * Don't know why it was last: change priority from extra to optional * debian/README.Debian: spell checking, add docu for php4-cli * ship a new script which check for php4-mysql support and print a error message to the poller logfile. With the modification of the readme file I think the bug can be closed. (Closes: #267009) -- Thorsten Sauter Thu, 26 Aug 2004 22:52:38 +0200 cacti (0.8.5a-5) unstable; urgency=high * debian/control: change priority from extra to optional * replace Brazilian Portuguese translation. (Closes: #264090) * debian/cacti.templates: Add new choice "None" to the webserver question. This gives the user a chance to use his own webserver. (Closes: #255971) * If we search for a local installed mysql-server check for packages which are installed or on hold. (Closes: #263262) * Fix some errors while removing include line from httpd.conf file. Also, print an error message if this doesn't work. New installations should use apache/conf.d anyway. (Closes: #253202) * SECURITY-UPDATE: Fix SQL Injection in CACTI. (Closes: #267758) Original upstream patch: http://cvs.raxnet.net/cgi-bin/viewcvs.cgi/cacti/auth_login.php.diff?r1=1.48&r2=1.49 Full-Disclosure: http://archives.neohapsis.com/archives/fulldisclosure/2004-08/0717.html * cacti.apache.conf: Change some php4 settings to make cacti more robust/secure. * /etc/cacti/debian.php: create long php4 tags ' Wed, 23 Jun 2004 08:46:37 +0200 cacti (0.8.5a-4) unstable; urgency=low * Change package priority to extra. * Change cronjob. The output of the poller job is now appended to the logfile * Update french debconf translation: fr.po. (Closes: #253585) * Add debconf translation: pt_BR.po. Don't know, which language this is :-) (Closes: #252021, #252017) * Backport cacti cvs fix (#0000176) into debian version. This will fix compatiblity problem with the output of the df command and long device names. (Closes: #254856) -- Thorsten Sauter Tue, 22 Jun 2004 23:26:17 +0200 cacti (0.8.5a-3) unstable; urgency=low * Fix type in package description. (Closes: #249590) * Update dutch debconf translation. (Closes: #250652) -- Thorsten Sauter Wed, 26 May 2004 11:49:27 +0200 cacti (0.8.5a-2) unstable; urgency=low * Fix error in the cron script - poll.sh isn't in the default path, we need ./poll.sh here - make sure the cacti directory exists, otherwise we will get a lot of error messages from cron. (Closes: #246982) * Depend also on apache2. Still depend on php4-cgi, we need both packages: php4 and php4-cgi. (Closes: #227295) * Make the package apache2 "safe". Depend on php4 or libapache2-mod-php4 * Include apache2 howto into debian/README.Debian. * Update templates, maintainer scripts to install config files for apache2 too. Update german translation * cactid: remove upstream installation docu -- Thorsten Sauter Mon, 17 May 2004 11:12:05 +0200 cacti (0.8.5a-1) unstable; urgency=low * New upstream version. * Include new dutch debconf translation: nl.po. (Closes: #245916) * Insert new dependency on php4-snmp which removes a lot of extra cpu usage. Thanks Rafael D'Halleweyn. (Closes: #228948) * Update debconf template and german/french translations. Thanks Christian Perrier. (Closes: #225890) * Including the new multi-threading poller (cactid). This binary can collect multiple datasources at the same time. (Closes: #186013, #237055) The program is not in the core release and not marked as stable, that's why I include it in an extra debian package. * The MySQL admin password is now removed from debconf database, if the user decide to not store it. (Closes: #224214) * The new poll.sh script report the output from the poller into a logfile. Maybe not the best solution, but so we don't loose any output. (Closes: #234726) * The new package containts the install/ directory also. This is useful, if we're not upgrading from 0.8.4 but from an other version. (Closes: #227737) * Insert an upgrade path from 0.8.4 and 0.8.5, this is done via sql scripts in updscripts/ * A new poll.sh script is used for cronjobs. This script use either cacti or the new cactid poller (depends on the default-poller file). * During upgrade the databases are dumped/backuped. * Update build system. Change to cdbs system. * Update README.Debian file. * Update Build-Depends/Depends -- Thorsten Sauter Mon, 26 Apr 2004 10:48:58 +0200 cacti (0.8.4-2) unstable; urgency=low * Print a warning message, if cacti is upgraded from an old version * extend debian/README.Debian with upgrade database instructions -- Thorsten Sauter Tue, 30 Dec 2003 13:44:55 +0100 cacti (0.8.4-1) unstable; urgency=low * New maintainer. (Closes: #196199) * New upstream version. (Closes: #198777) * debian/changelog: - convert to UTF-8 * debian/control: - update standards version - update build dependencies - insert new logrotate dependency - depend on libphp-adodb, which is also in the archive - add apache-perl to apache dependency list. (Closes: #204290) * debian/rules: rewrite the way to install the files into the package * debian/cacti.cron.d: - make the script a little bit more robust. (Closes: #211249) * debian/README.Debian: - replace most parts of the text. * debian/cacti.apache.conf: - reformat the file a little bit - remove unused phtml extension * debian/cacti.logrotate: - reformat the file -- Thorsten Sauter Tue, 2 Dec 2003 11:24:49 +0100 cacti (0.6.8a-13.1) unstable; urgency=low * NMU * Rewrote debconf templates to more standard english with the help of debian-l10n-english. Former templates have been left for future reference Closes: #189401 * French debconf templates update. Closes: #197119 * More secure temp file handling in postrm. Thanks lintian. -- Christian Perrier Mon, 16 Jun 2003 22:54:11 +0200 cacti (0.6.8a-13) unstable; urgency=low * Orphan this package -- Igor Genibel Thu, 5 Jun 2003 11:58:50 +0200 cacti (0.6.8a-12) unstable; urgency=low * Missed to close bug #183287 (Closes: #183287) -- Igor Genibel Wed, 19 Mar 2003 09:32:25 +0100 cacti (0.6.8a-11) unstable; urgency=low * remove quote in cron.php in order to be run in safe_mode and /var/log/httpd/access_log -> /var/log/apache/access_log in scripts/webhits (Closes: #177791) * fix non installation when no mysql server is present when localhost installation (Closes: #183288, #184324) * fix non removal when no mysql server found (in localhost installation) (Closes: #183288) * fix loop when upgrading and mysql-server != localhost (Closes: #179561) * use po-debconf -- Igor Genibel Mon, 17 Mar 2003 15:00:55 +0100 cacti (0.6.8a-10) unstable; urgency=low * Fix various packaging mistakes - Mention that mysql is not installed on local systems (complement to the #172414) - Provide a good cacti.sql (Closes: #166296) - config.php is only store in /etc/cacti (Closes: #172410) - Provide somes explanations for scripts provided in the package (see the README.Debian file) (Closes: #167814) * Standards-Version: 3.5.8 -- Igor Genibel Sun, 5 Jan 2003 21:15:49 +0100 cacti (0.6.8a-9) unstable; urgency=low * Fix extra OID in parameter. Thanks to Roberto Moreda (Closes: #162873) -- Igor Genibel Mon, 30 Sep 2002 16:51:36 +0200 cacti (0.6.8a-8) unstable; urgency=low * Fix typo in postinst file (Closes: #162574) -- Igor Genibel Fri, 27 Sep 2002 12:20:28 +0200 cacti (0.6.8a-7) unstable; urgency=low * fix broken regexp in include/snmp_functions.php * force the use of external snmp functions -- Igor Genibel Thu, 26 Sep 2002 17:39:03 +0200 cacti (0.6.8a-6) unstable; urgency=low * apply a patch provided by Blaine Kahle in order to cleanly use net-snmp5 -- Igor Genibel Thu, 26 Sep 2002 16:50:24 +0200 cacti (0.6.8a-5) unstable; urgency=low * re-add lost patch provided by Adam Conrad in order to bypass the php4-cgi installation bug (related bugs: #147385, #147261, #129883 and #145465) (Closes: #154822) -- Igor Genibel Thu, 26 Sep 2002 16:10:05 +0200 cacti (0.6.8a-4) unstable; urgency=low * New recommends on iputils-ping (because of the "-w" ping option) (Closes: #161278, #161279) * New Standards (3.5.7.0) * DH_COMPAT 4 -- Igor Genibel Thu, 26 Sep 2002 12:35:46 +0200 cacti (0.6.8a-3) unstable; urgency=low * Fix type in postinst file (Closes: #160694) * Add missing ; in include/rrd_functions.php file (Closes: #160703) -- Igor Genibel Tue, 17 Sep 2002 17:51:09 +0200 cacti (0.6.8a-2) unstable; urgency=high * Security upload: really fix the arbitrary program code execution. -- Igor Genibel Tue, 10 Sep 2002 09:57:00 +0200 cacti (0.6.8a-1) unstable; urgency=high * Security Upload: prevent executing arbitrary program code under the user id of the web server. -- Igor Genibel Mon, 9 Sep 2002 14:39:37 +0200 cacti (0.6.8-10) unstable; urgency=high * fix the wrong setcookie() call (Closes: #157740) * force the use of net-snmp tool instead of using native broken php-snmp functions (Closes: #157383,#157381) * urgency=high because cacti is not usable with the php-snmp functions -- Igor Genibel Thu, 22 Aug 2002 17:20:32 +0200 cacti (0.6.8-9) unstable; urgency=low * The «I'm too lame and stupid» version * really add the «if exists» statement -- Igor Genibel Mon, 19 Aug 2002 16:03:44 +0200 cacti (0.6.8-8) unstable; urgency=low * add a «if exists» when dropping the database (for partial installation) -- Igor Genibel Mon, 19 Aug 2002 15:46:58 +0200 cacti (0.6.8-7) unstable; urgency=low * Fix uninstallable package with calling mysql differently (Closes: #156951) -- Igor Genibel Mon, 19 Aug 2002 14:41:08 +0200 cacti (0.6.8-6) unstable; urgency=low * move php-cgi bug workaround from include/database.php to include/config.php in order to fix the html export bug * put strict dependency on mysql-client (because of SQL query) (Closes: #149787) -- Igor Genibel Wed, 12 Jun 2002 19:40:29 +0200 cacti (0.6.8-5) unstable; urgency=low * ask for password confirmation. * Test if provided password for mysql is Ok. (Closes: #148862) * add two scripts -- Igor Genibel Mon, 3 Jun 2002 14:11:28 +0200 cacti (0.6.8-4) unstable; urgency=low * put php_flag short_open_tag On in apache.conf file (Closes: #147283) * fix SQL entry for webhits script -- Igor Genibel Fri, 17 May 2002 18:45:17 +0200 cacti (0.6.8-3) unstable; urgency=low * provide the get_stat_for_interface.pl script (I'm too lame) -- Igor Genibel Fri, 17 May 2002 18:36:44 +0200 cacti (0.6.8-2) unstable; urgency=low * Suppress and fix wrong SQL inserts. (Closes: #147259,#147262) Thanks to Guillaume * Applied a patch provided by Adam Conrad in order to bypass php4-cgi installation bug -- Igor Genibel Fri, 17 May 2002 16:19:14 +0200 cacti (0.6.8-1) unstable; urgency=low * New upstream version (Closes: #146799) * add new script that fetches informations directly from /proc (Luc Saillard) * patch auth_login.php in order to move php4 dependency from Depends to Recommends. Now only php4-cgi package is mandatory. (Luc Saillard) * Standards-Version: 3.5.6.0 -- Igor Genibel Mon, 13 May 2002 16:03:13 +0200 cacti (0.6.7-2) unstable; urgency=low * add snmp to dependencies * fix logrotate broken file * add a note in README.Debian concerning php4-cgi installation -- Igor Genibel Fri, 5 Apr 2002 12:59:51 +0200 cacti (0.6.7-1) unstable; urgency=low * Initial Release. (Closes: #140461) -- Igor Genibel Wed, 3 Apr 2002 15:04:11 +0200