SUSE alert openSUSE-SU-2026:0033-1 (cacti, cacti-spine)
| From: | maintenance@opensuse.org | |
| To: | security-announce@lists.opensuse.org | |
| Subject: | openSUSE-SU-2026:0033-1: critical: Security update for cacti, cacti-spine | |
| Date: | Fri, 30 Jan 2026 21:04:49 +0100 | |
| Message-ID: | <20260130200449.8CF59FD85@maintenance.suse.de> | |
| Archive-link: | Article |
openSUSE Security Update: Security update for cacti, cacti-spine ______________________________________________________________________________ Announcement ID: openSUSE-SU-2026:0033-1 Rating: critical References: #1231027 #1231369 #1231370 #1231371 #1231372 #1236482 #1236486 #1236487 #1236488 #1236489 #1236490 Cross-References: CVE-2024-43362 CVE-2024-43363 CVE-2024-43364 CVE-2024-43365 CVE-2024-45598 CVE-2024-54145 CVE-2024-54146 CVE-2025-22604 CVE-2025-24367 CVE-2025-24368 Affected Products: openSUSE Backports SLE-15-SP6 openSUSE Backports SLE-15-SP7 ______________________________________________________________________________ An update that solves 10 vulnerabilities and has one errata is now available. Description: This update for cacti, cacti-spine fixes the following issues: cacti 1.2.30: - Unable to add new users - When using Automation Rules, specifying graph criteria may cause issues - When transferring a system from a backup if the poller has not run recently rrdtool issues are found - When translating, quotes may cause incorrect text to appear - When using Boost for the first time, warnings may appear - When refreshing forms, items may be checked incorrectly by xmacan cacti 1.2.29: - CVE-2025-22604 GHSA-c5j8-jxj3-hh36 - Authenticated RCE via multi-line SNMP responses (bsc#1236488) - CVE-2025-24368 GHSA-f9c7-7rc3-574c - SQL Injection vulnerability when using tree rules through Automation API (bsc#1236490) - CVE-2024-54145 GHSA-fh3x-69rr-qqpp - SQL Injection vulnerability when request automation devices (bsc#1236487) - CVE-2025-24367 GHSA-fxrq-fr7h-9rqq - Arbitrary File Creation leading to RCE (bsc#1236489) - CVE-2024-45598 GHSA-pv2c-97pp-vxwg - Local File Inclusion (LFI) Vulnerability via Poller Standard Error Log Path (bsc#1236482) - CVE-2024-54146 GHSA-vj9g-P7F2-4wqj - SQL Injection vulnerability when view host template (bsc#1236486) - issue: Temporary table names may incorrectly think they have a schema - issue: When using Preset Time to view graphs, it is using a fixed point rather than relative time - issue: Fix issue where RRA files are not automatically removed - issue: Fix invalid help link for Automation Networks - issue: Unable to disable a tree within the GUI - issue: When removing graphs, RRA files may be left behind - issue: Improve compatibility with ping under FreeBSD - issue: Improve compatibility wtih Slice RRD tool under PHP 8.x - issue: Allow IPv6 formats to use colons without port - issue: Update Fortigate, Aruba OSCX and Clearpass templates - issue: When a plugin is disabled, unable to use GUI to enable it again - issue: When upgrading, ensure that replication only runs as necessary - issue: Improve caching and syncing issues with replication - issue: Improve caching techniques for database calls - issue: Improve compatibility for Error constants under PHP 8.4 - issue: When running the upgrade database script, cursor is left in the middle of the row - issue: Guest page does not automatically refresh - issue: When installing, conversion of tables may produce collation errors - feature: Add HPE Nimble/Alletra template - feature: When installing, only convert core cacti tables - Add /srv/www directories to filelist [boo#1231027] - fix for cacti-cron.timer & cacti-cron.service failing after upgrade has already removed - replace cacti-cron.timer & cacti-cron.service with cactid.service to fix thold & other "sub poller" poller processes not running. cacti 1.2.28: - CVE-2024-43365 GHSA-49f2-hwx9-qffr: XSS vulnerability when creating external links with the consolenewsection parameter (bsc#1231372) - CVE-2024-43364 GHSA-fgc6-g8gc-wcg5: XSS vulnerability when creating external links with the title parameter (bsc#1231371) - CVE-2024-43363 GHSA-gxq4-mv8h-6qj4: RCE vulnerability can be executed via Log Poisoning (bsc#1231370) - CVE-2024-43362 GHSA-wh9c-v56x-v77c: XSS vulnerability when creating external links with the fileurl parameter - issue: When using LDAP authentication the first time, warnings may appear in logs - issue: When installing, a replication loop for plugin_realms may occur - issue: When installing, remote poller may attempt to sync with other pollers - issue: When a Data Query has a space, indexes may not be properly escaped - issue: Boost does not always order data source records properly - issue: Add IP address to the login audit for successful logins by xmacan - issue: Undefined variable error may sometimes occur when dealing with RRD output by MSS970 - issue: When export to CSV, only the first line of notes is included - issue: When rendering forms, missing default value can cause errors - issue: Allow hosted content to be executable for the links page - issue: When closing database connections, some may linger incorrectly - issue: When changing passwords, an infinite loop may occur by ddb4github - issue: When using Cacti Daemon, a "Cron out of sync" message may be reported - issue: Add ability to filter/sort users by group or last login time - issue: When using List View, unable to add Graphs to a Report - issue: When using SNMPv3, some devices may show polling issues - issue: Limit table conversion to Cacti core tables - issue: Fix issues with posix-based kills on Windows - issue: When installing, password changes may fail on new installations - issue: When using structured RRD folders, permission issues may be flagged incorrectly - issue: When unable to locate a valid theme, new default will be Modern - issue: Properly cache the data source information for dsstats processing - issue: When reindexing, verify all fields may not work as intended - feature: Add ability to log database connections/disconnections - feature: Add Ping Method where connection refused assumes host is up - feature: When displaying graphs, default end time does not show full 24 hour period - feature: Add --id to remove_device.php - feature: Add Location and Site to Graph List View - feature: Add more verbose logging to Boost - feature: Update jQuery to 3.7.1 - feature: Update jQueryUI to 1.14.0 - feature: Update Purify.js to 3.1.6 - feature: Update billboard.js to 3.13.0 - feature: Improve the performance of the repopulation of the poller cache Changes in cacti-spine: cacti-spine 1.2.30: - no changes - Bump/rebuild to match Cacti 1.2.30 cacti-spine 1.2.28: - When using Ping or SNMP Uptime, host is not always detected properly - Add Ping Method where connection refused assumes host is up Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP7: zypper in -t patch openSUSE-2026-33=1 - openSUSE Backports SLE-15-SP6: zypper in -t patch openSUSE-2026-33=1 Package List: - openSUSE Backports SLE-15-SP7 (aarch64 i586 ppc64le s390x x86_64): cacti-spine-1.2.30-bp157.2.3.1 cacti-spine-debuginfo-1.2.30-bp157.2.3.1 cacti-spine-debugsource-1.2.30-bp157.2.3.1 - openSUSE Backports SLE-15-SP6 (noarch): cacti-1.2.30-bp156.2.6.1 References: https://www.suse.com/security/cve/CVE-2024-43362.html https://www.suse.com/security/cve/CVE-2024-43363.html https://www.suse.com/security/cve/CVE-2024-43364.html https://www.suse.com/security/cve/CVE-2024-43365.html https://www.suse.com/security/cve/CVE-2024-45598.html https://www.suse.com/security/cve/CVE-2024-54145.html https://www.suse.com/security/cve/CVE-2024-54146.html https://www.suse.com/security/cve/CVE-2025-22604.html https://www.suse.com/security/cve/CVE-2025-24367.html https://www.suse.com/security/cve/CVE-2025-24368.html https://bugzilla.suse.com/1231027 https://bugzilla.suse.com/1231369 https://bugzilla.suse.com/1231370 https://bugzilla.suse.com/1231371 https://bugzilla.suse.com/1231372 https://bugzilla.suse.com/1236482 https://bugzilla.suse.com/1236486 https://bugzilla.suse.com/1236487 https://bugzilla.suse.com/1236488 https://bugzilla.suse.com/1236489 https://bugzilla.suse.com/1236490