Two security issues (SQL injection and command line injection via SNMP settings) were found in Cacti, a web interface for graphing of monitoring systems.

For the oldstable distribution (squeeze), these problems have been fixed in version 0.8.7g-1+squeeze2. For the stable distribution (wheezy), these problems have been fixed in version 0.8.8a+dfsg-5+deb7u1. For the unstable distribution (sid), these problems have been fixed in version 0.8.8b+dfsg-2. We recommend that you upgrade your cacti packages.

Cacti is a complete frontend to rrdtool, it stores all of the necessary information to create graphs and populates them with data in a MySQL database. The frontend is completely PHP driven. Along with being able to maintain Graphs, Data Sources, and Round Robin Archives in a database, cacti handles the data gathering also. There is also SNMP support for those used to creating traffic graphs with MRTG.

cacti on Debian Linux

This check tests the installed software version using the apt package manager.

• http://www.debian.org/security/2013/dsa-2739.html

---

Updated on 2015-03-25