There may be users of Cacti from EPEL on this the epel-announce list, so I'm forwarding this here.
---------- Forwarded message ---------- From: Ken Dreyer ktdreyer@ktdreyer.com Date: Thu, Oct 23, 2014 at 11:08 AM Subject: intent to retire cacti To: Development discussions related to Fedora devel@lists.fedoraproject.org
Hi folks,
Cacti is a PHP monitoring program that has been showing its age for a while now.
There are numerous CVEs relating to XSS and SQL injection that upstream has patched in SVN but are not available in any tagged release, and this has been the case for several months.
More recently, another round of vulnerabilities have come out that upstream has not even officially patched in their SVN repository:
- CVE-2014-2327 (CSRF), - CVE-2014-5025 (stored XSS), - CVE-2014-5026 (more stored XSS), - CVE-2014-5261 (shell metacharacters), - CVE-2014-5262 (SQL injection)
I think Debian is carrying its own custom patches for some these.
Since Fedora's already carrying a large-ish patch to remove Cacti's non-free Javascript bits, the fact that upstream is showing further signs of dying makes me doubt the feasibility of keeping this package in the distro. I'm planning to retire the package altogether.
Because of the continued security problems in the project, I would already advise against anyone running vanilla Cacti from upstream. I'm now at the point where I'd advise anyone from running it altogether, even the distro packages. Zenoss, XYMon, Nagios, and Icinga are all viable replacements.
Jon Ciesla is the official point of contact for Cacti in pkgdb, and he and I are in agreement that we should retire this package.
Cacti is still present in EPEL 5, 6, and 7, and I really dislike destabilizing EPEL if I can help it. I don't know if I can make time to patch the above CVEs, so we may need to retire it in EPEL too. If you're using Cacti, now is the time to move onto something else.
- Ken
epel-announce@lists.fedoraproject.org