EPEL-ANNOUNCE Fwd: intent to retire cacti

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

There may be users of Cacti from EPEL on this the epel-announce list,
so I'm forwarding this here.

---------- Forwarded message ----------
From: Ken Dreyer <ktdreyer@xxxxxxxxxxxx>
Date: Thu, Oct 23, 2014 at 11:08 AM
Subject: intent to retire cacti
To: Development discussions related to Fedora <devel@xxxxxxxxxxxxxxxxxxxxxxx>

Hi folks,

Cacti is a PHP monitoring program that has been showing its age for a while now.

There are numerous CVEs relating to XSS and SQL injection that
upstream has patched in SVN but are not available in any tagged
release, and this has been the case for several months.

More recently, another round of vulnerabilities have come out that
upstream has not even officially patched in their SVN repository:

- CVE-2014-2327 (CSRF),
- CVE-2014-5025 (stored XSS),
- CVE-2014-5026 (more stored XSS),
- CVE-2014-5261 (shell metacharacters),
- CVE-2014-5262 (SQL injection)

I think Debian is carrying its own custom patches for some these.

Since Fedora's already carrying a large-ish patch to remove Cacti's
non-free Javascript bits, the fact that upstream is showing further
signs of dying makes me doubt the feasibility of keeping this package
in the distro. I'm planning to retire the package altogether.

Because of the continued security problems in the project, I would
already advise against anyone running vanilla Cacti from upstream. I'm
now at the point where I'd advise anyone from running it altogether,
even the distro packages. Zenoss, XYMon, Nagios, and Icinga are all
viable replacements.

Jon Ciesla is the official point of contact for Cacti in pkgdb, and he
and I are in agreement that we should retire this package.

Cacti is still present in EPEL 5, 6, and 7, and I really dislike
destabilizing EPEL if I can help it. I don't know if I can make time
to patch the above CVEs, so we may need to retire it in EPEL too. If
you're using Cacti, now is the time to move onto something else.

- Ken
_______________________________________________
epel-announce mailing list
epel-announce@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/epel-announce
[Index of Archives]     [Fedora Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Announce]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Linux Apps]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]
  Powered by Linux