Release of Cacti 1.2.23
Thank you to everyone who is using Cacti and especially those helping to make Cacti better!
For additional details check out the README located on GitHub.
IMPORTANT: A security issue was identified that could allow remote attackers to bypass IP restrictions to the remote agent service when proxy headers are defined.
Starting with 1.2.23, it is the admins responsibility to define which proxy headers are valid. However, to ensure that access to systems are not lost, until these are explicitly configured, the full list of proxy headers will be allowed and a warning will be displayed in the system logs daily.
If you see this warning, please set the desired headers or false within include/config.php
immediately
In the 1.3.0 (development) version, no headers are configured and must be manually set. If you are using a proxy server, ensure these are configured within include/config.php
For more information, refer to issue security#5119
Contribute
Active development of Cacti is located on GitHub! Join us in making Cacti better, submit issues, fork, and pull requests!
Cacti Change Log
- security #4920: Add .htaccess file to scripts folder
- security #5119: CVE-2022-46169 Unauthenticated Command Injection in Remote Agent
- issue #4418: When using Single Sign-on Frameworks, revocation is not always detected in callbacks
- issue #4682: New templates are not installed during the update
- issue #4738: Improve PHP 8.1 support for Installer CLI
- issue #4888: The database audit script fails to run properly on MySQL 8.0.29
- issue #4889: Increase host query performance by removing check for NULL
- issue #4892: When many hosts go offline, Recache Event can be constantly logged
- issue #4893: Real Time Counter can become stuck and does not count down
- issue #4896: When remote poller is in offline mode, GUI can become inaccesible and poller can timeout
- issue #4897: Technical support page on remote poller shows max connections of Main poller
- issue #4903: Correct incompatibility between MySQL 8.x and Automation regular expressions
- issue #4904: The recommendation for innodb_buffer_pool_instances is incorrect for MySQL 8 and MariaDB < 10.5
- issue #4905: Using colons in labels can break graphs with gradients
- issue #4917: Real Time Counter can become stuck and does not count down
- issue #4921: Some Aggregate graphs can be denied access incorrectly
- issue #4923: Unable to duplicate a Graph template
- issue #4927: Unable to audit the database if database password contains a bracket
- issue #4934: Upgrade phpseclib to 2.0.37
- issue #4935: The 'Net-SNMP - Device I/O' template incorrectly sets a maximum value of zero
- issue #4940: When sorting by hostname, database errors can be reported
- issue #4941: When boost is running, graphs can appear broken
- issue #4944: Packages should be signed with SHA256 as SHA1 is considered deprecated
- issue #4947: When creating a Data Template, ensure that the default max value is always 'U' and not '0'
- issue #4951: Plugins may not work correctly with Multi-Poller setups
- issue #4960: Setting context for connections throws error in PHP 8.x
- issue #4963: Wen calculating 95th percentile, floor() maybe used instead of ceil() incorrectly
- issue #4964: Tree search does not correct hide non-matching tree objects
- issue #4966: Device Template filters should show on used templates
- issue #4971: MIB Parser can sometimes cause errors in later PHP versions
- issue #4978: Boost may sometimes lose the Time Zone unexpectedly
- issue #4980: Setting business hours can cause PHP errors
- issue #4988: When creating RRD File, more data sources than expected may be defined
- issue #4990: When viewing Links, errors can be generated
- issue #4991: Updating a Data Template does not switch rrd_heartbeat properly for all sources leading to empty graphs
- issue #4993: Data Debug Troubleshooter does not pick up invalid RRD_heartbeat settings
- issue #4996: When managing graphs, Graphs can be listed multiple times incorrectly
- issue #5001: Data Debug troubleshooter reports false positives with Missing Data Sources
- issue #5006: Errors can occur when attempting to remove items from CDEF or VDEF's
- issue #5012: When upgrading database at command line, some PHP errors may be seen
- issue #5013: Automatically set Bulk Walk size when missing on a host
- issue #5015: Upgrade for 1.2.21 reporting unknown status
- issue #5017: SNMP Agent can cause unexpected errors due to implicit rounding
- issue #5018: When using 'Remember me', session can still be forced to end unexpectedly
- issue #5024: Escape char not properly replaced in snmp strings
- issue #5028: Cacti User Stats script can throw errors unexpectedly
- issue #5029: Searching for a plugin by name does not always work
- issue #5030: Installer shows innodb unset in MariaDB 10.10+
- issue #5033: Improve PHP 8.1 support with Installer
- issue #5034: RRD Proxy Server not supported by CLI script "structure_rra_paths.php"
- issue #5041: Custom themes may cause errors if they do not contain all required CSS/JS files
- issue #5057: When adding a device rule in automation, depreciated filters may be reported
- issue #5066: Graph watermark is not escaped properly, leading to broken graphs
- issue #5068: Improve PHP 8.2 support with Installer
- issue #5084: When viewing trees, runtime errors may be recorded
- issue #5088: When running script host_update_template.php, reindex method may incorrectly be changed to uptime
- issue #5089: When numeric regex validation fails, no backtrace is logged
- issue #5096: When the SNMP Agent is enabled, certain objects can result in errors appearing
- issue #5097: RRDtool Utilities should not appear on Remote Data Collectors
- issue #5101: When a remote poller fails, the recovery process may also fail
- issue #5102: When in Recovery Mode, plugins that are designed to work remotely stop working
- issue #5103: When Remote Data Collector changes status, a full page refresh or logout should occur
- issue #5105: ss_host_disk.php php issue after upgrade PHP 8.1 (from 7.4)
- issue #5107: Block installation if PHP has session.auto_start enabled
- issue #5111: During boost processing, some DS Stats functions can cause errors
- feature #1100: Structured path not created when using remote poller and Update On-Demand
- feature #1392: Notify Admins that page errors exist even when using dynamic callbacks
- feature #2239: Allow Import and Export to be more selective
- feature #2485: Importing Template requires you to upload the same file after previewing
- feature #2548: Add Head/Tail filtering of log for more efficient searches
- feature #2567: The innodb sort buffer should be optimized for large tables
- feature #2747: Allow more sorting options when managing Graphs
- feature #2871: Report when RRA's heartbeat is below the data source profile's interval
- feature #3131: Add utility feature to reindex hosts with bad indexes
- feature #3578: Allow Re-indexing of Devices to be Scheduled
- feature #4025: When importing a Template or Package, allow the user to ignore template and use the system default dimensions
- feature #4239: On "Graph Utility View" add the name of and a link to the graph template which the graph is based on
- feature #4417: Support execution of custom functions at poller bottom for remote pollers
- feature #4754: The script ss_fping.php should timeout based on the host
- feature #4762: Allow Package Import to be selective
- feature #4786: Windows install does not support SVG rendering
- feature #4820: When importing, make it possible to only import certain components
- feature #4841: Move the
cactid
functiondb_check_reconnect()
tolib/database.php
for other service oriented scripts - feature #4874: Add support for Business Hours
- feature #4890: Add multi threading for Poller recache script
- feature #4899: Allow script server to be told when the main database when offline or in recovery
- feature #4901: Make the script server accept arguments in the standard way
- feature #4902: Increase compatibility with MySQL 8.x
- feature #4907: Add lmSensors to the Net-SNMP Device Template
- feature #4926: Allow the user to override Cacti's built-in Time Zone detection
- feature #4943: Add ability to periodically check RRDfiles for errors in batch
- feature #4948: When security cookie times out, redirection does not always occur properly
- feature #4955: Provide memory tuning based upon MySQL Tuner recommendations
- feature #4956: The function
db_check_reconnect()
should be able to work with any connection - feature #4957: Add Device Template categories to match the classes of the Package Plugin
- feature #4965: When unlocking a tree, entire page should not need rebuilding
- feature #4967: Make adding Associated Graph Templates and Data Queries easier to use
- feature #4989: Improve table performance by caching 'Total Rows' using a hash
- feature #5009: Allow SNMP Value OIDs to be parsed using regular expressions
- feature: Adding ESXi Device Template
- feature: Upgrade jQuery to version 3.6.1
- feature: Upgrade jQueryUI to version 1.13.2
- feature: Upgrade billboard.js to version 3.6
- feature: Introduce exec() function with timeout
Reporting Issues
http://www.cacti.net/issues.php
Download Cacti
http://www.cacti.net/download_cacti.php
Download Spine
http://www.cacti.net/spine_download.php
Thanks!
The Cacti Group
What's Changed
- Added support for showing business hours by @thurban in #4878
- Labels on AREA having a colon breaks the gradient creation with an rrdtool error by @thurban in #4900
- Fix cisco router template BGP by @bmfmancini in #4906
- Add .htaccess file to scripts and MIB folders by @bmfmancini in #4922
- fix SQL where condition - auth.php by @xmacan in #4945
- Add ability to periodically check RRDfiles for errors in batch by @xmacan in #4943
- Update to rrd.php to fix Business hours erros and timezone issue by @thurban in #4982
- Update syntax.yml by @bmfmancini in #4992
- Rrdcheck new tests by @xmacan in #4999
- remove unused query by @xmacan in #5003
- Allow SNMP Value OIDs to be parsed using regular expressions by @gadzet21 in #5009
- When upgrading database at command line, some PHP errors may be seen by @ddb4github in #5012
- Improve PHP 8.1 support for Installer CLI by @ddb4github in #4738
- Escape char not properly replaced in snmp strings by @ddb4github in #5024
- Fixed three files by @ddb4github in #5026
- fix php variable in graph debug rrdtool command by @xmacan in #5061
- Fixed two files by @ddb4github in #5077
Full Changelog: release/1.2.22...release/1.2.23