intent to retire cacti

Ken Dreyer ktdreyer at
Thu Oct 23 17:08:12 UTC 2014

Hi folks,

Cacti is a PHP monitoring program that has been showing its age for a while now.

There are numerous CVEs relating to XSS and SQL injection that
upstream has patched in SVN but are not available in any tagged
release, and this has been the case for several months.

More recently, another round of vulnerabilities have come out that
upstream has not even officially patched in their SVN repository:

- CVE-2014-2327 (CSRF),
- CVE-2014-5025 (stored XSS),
- CVE-2014-5026 (more stored XSS),
- CVE-2014-5261 (shell metacharacters),
- CVE-2014-5262 (SQL injection)

I think Debian is carrying its own custom patches for some these.

Since Fedora's already carrying a large-ish patch to remove Cacti's
non-free Javascript bits, the fact that upstream is showing further
signs of dying makes me doubt the feasibility of keeping this package
in the distro. I'm planning to retire the package altogether.

Because of the continued security problems in the project, I would
already advise against anyone running vanilla Cacti from upstream. I'm
now at the point where I'd advise anyone from running it altogether,
even the distro packages. Zenoss, XYMon, Nagios, and Icinga are all
viable replacements.

Jon Ciesla is the official point of contact for Cacti in pkgdb, and he
and I are in agreement that we should retire this package.

Cacti is still present in EPEL 5, 6, and 7, and I really dislike
destabilizing EPEL if I can help it. I don't know if I can make time
to patch the above CVEs, so we may need to retire it in EPEL too. If
you're using Cacti, now is the time to move onto something else.

- Ken

More information about the devel mailing list