CVE-2017-12066 (https://nvd.nist.gov/vuln/detail/CVE-2017-12066): Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti before 1.1.16 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable. NOTE: this vulnerability exists because of an incomplete fix (lack of the htmlspecialchars ENT_QUOTES flag) for CVE-2017-11163. References: https://cacti.net/release_notes.php?version=1.1.16 https://github.com/Cacti/cacti/commit/bd0e586f6f46d814930226f1516a194e7e72293e https://github.com/Cacti/cacti/issues/877
Fixed ebuild pushed to git: From 2a10b99341a3bc93d00cb9eba4a020cb71f78bf8 Mon Sep 17 00:00:00 2001 From: Jeroen Roovers <jer@gentoo.org> Date: Sun, 20 Aug 2017 09:02:02 +0200 Subject: net-analyzer/cacti: Version bump. Package-Manager: Portage-2.3.8, Repoman-2.3.3 --- net-analyzer/cacti/Manifest | 1 + net-analyzer/cacti/cacti-1.1.18.ebuild | 58 ++++++++++++++++++++++++++++++++++ 2 files changed, 59 insertions(+) create mode 100644 net-analyzer/cacti/cacti-1.1.18.ebuild @Maintainer(s): Please state if the package is ready for stabilization.
@ Maintainer(s): Please tell us if we can start stabilization of =net-analyzer/cacti-1.1.18.
Stable on alpha.
sparc was dropped to exp. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5901d8f716555a1479f12313a2925fcadd177a9
x86 stable
amd64 stable
tree is clean.
sparc stable (thanks to Rolf Eike Beer)