Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package cacti for openSUSE:Factory checked in at 2026-04-22 16:59:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cacti (Old) and /work/SRC/openSUSE:Factory/.cacti.new.11940 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cacti" Wed Apr 22 16:59:11 2026 rev:55 rq:1348647 version:1.2.30+git306.82d5aef5 Changes: -------- --- /work/SRC/openSUSE:Factory/cacti/cacti.changes 2026-02-27 17:10:59.990828797 +0100 +++ /work/SRC/openSUSE:Factory/.cacti.new.11940/cacti.changes 2026-04-22 16:59:58.308933094 +0200 @@ -1,0 +2,78 @@ +Tue Apr 21 20:28:22 UTC 2026 - [email protected] + +- Update to version 1.2.30+git306.82d5aef5: + * add a collapse icon (#7047) + * security: consolidated defense-in-depth hardening (1.2.x) (#7039) + * fix(security): harden boost cache, deserialization, GET_LOCK, and process management (#7021) + * CVE-2026-0540 - Update DOMPurify to 3.3.3. phpseclib's AES-CBC unpadding susceptible to padding oracle timing attack (#7022) + * fix(security): harden exec_background, log path redirection, and CLI argument handling (#7016) + * fix: IPv6 support hardening for SNMP sessions, ping validation, and binary transport (#7014) + * fix(security): enforce strict metric serialization at RRDtool IPC boundary (#7012) + * fix(security): harden rrd.php, database.php, and html_utility.php (1.2.x) (#7002) + * fix(security): harden auth lockout, CSPRNG fallback, error escaping, and redirect (1.2.x) (#7000) + * fix(security): harden core execution boundaries and XML processing (#7010) + * fix(security): harden utility.php PHP binary validation, SQL injection, PRNG, and XSS (#7006) + * fix(security): escape html_filter form attributes and JS context (1.2.x) (#6995) + * fix: prevent empty CDEF RPN expressions in aggregate graphs (1.2.x) (#6985) + * fix: aggregate 95th percentile uses SUM instead of MAX for SIMILAR (1.2.x) (#6984) + * fix: CF fallback selection overwritten by cf_reference (1.2.x) (#6982) + * fix: remove unconditional overwrite of coerced multi-DS values (1.2.x) (#6981) + * fix: cacti_snmp_validate_oid accepts non-numeric OIDs (1.2.x) (#6980) + * fix(scripts): return 'U' on error in ss_webseer, ss_gexport, query_host_cpu (1.2.x) (#6983) + * fix: Fixing additional review issues (#6979) + * fix: Fixing issues with dns call (#6977) + * fix: Fixing wrong variable use (#6976) + * fix(security): cast effective_user to int and validate OID format in remote_agent (1.2.x) (#6969) + * fix(security): escape rrdtool tune arguments to prevent command injection (#6967) + * fix(security): forward-verify PTR result in remote_client_authorized() (#6968) + * fix(security): validate graph_theme with basename() to prevent LFI (#6966) + * fix(security): escape error message output in auth_login.php (#6958) + * fix: Simplify redirect handling in Cacti and Fix Multi-Sort (#6955) + * fix(security): use strict comparisons in auth and restrict unserialize (#6960) + * fix: correct spikekill user/default inversion and add RRD file check (1.2.x) (#6962) + * fix(security): parameterize SQL, add column allow-list, and type-safe counter math (#6961) + * fix(hardening): replace raw $_REQUEST with input wrapper functions (#6959) + * fix graph debug (#6956) + * fix: return text error in graph debug mode when RRD file missing (1.2.x) (#6924) + * security: fix XSS in JavaScript contexts across UI pages (1.2.x) (#6929) + * fix: correct colourBrightness calculation for negative and integer percentages (1.2.x) (#6928) + * Fix: Removing backtick operator from code (#6922) + * fix: remove noisy RRD file-not-found log message (#6918) + * security: remaining hardening backports to 1.2.x (#6917) + * Fix: Issuesing changing poller and audit plugin (#6915) + * Fix: Add missing functiosn rrdtool_file_exists (#6914) + * security: harden shell command execution against injection (1.2.x backport) (#6902) + * security: fix SSRF and SSL verification in help.php (1.2.x backport) (#6906) + * fix: backport spikekill and realtime graph fixes to 1.2.x (#6909) + * security: fix XSS and open redirect in auth and UI pages (1.2.x backport) (#6910) + * security: parameterize SQL in sequence functions and data_queries.php (1.2.x backport) (#6911) + * security: fix SSRF, command injection, and XSS in core functions (1.2.x) (#6913) + * security: support array arguments in exec_background and __rrd_execute (1.2.x backport) (#6912) + * Fixing managers actions not taking action (#6901) + * security: harden SQL query construction against injection (1.2.x backport) (#6897) + * security: fix XSS, path traversal, open redirect, and IDOR (1.2.x backport) (#6899) + * security: fix unsafe deserialization in managers.php (1.2.x backport) (#6898) + * Update translation files + * Translated using Weblate (Swedish) + * Update translation files + * Translated using Weblate (Swedish) + * Update translation files + * Translated using Weblate (Swedish) + * fix(1.2.x): correct codespell-detected spelling errors in PHP source files (#6808) + * qa: Removing php7.4 and php8.0 from our validation matrix due recent plugin changes (#6817) + * Update translation files + * Translated using Weblate (Swedish) + * [1.2.x] fix: exec_with_timeout operator precedence, child kill, and stderr handling (#6732) + * fix(auth): add column-name whitelist to is_view_allowed() (#6708) + * fix: parameterize SQL in cli/add_device.php (#6710) + * fix: remove PHP_EOL from force_https redirect header (#6711) + * fix: three one-line typos in spikekill subsystem (#6712) + * fix: add output_format to ifName and ifDescr in interface.xml (#6713) + * fix: strict comparison in replicate_table_to_poller column exclusion (#6714) + * fix: escape values in array_to_sql_or() to prevent SQL injection (#6709) + * fix: correct JOIN condition in is_view_allowed() group membership query (#6734) + * fix false down status in gui (#6706) + * add dell idrac template (#6681) + * Backport check_all_pages.sh to 1.2.x (#6678) + +------------------------------------------------------------------- Old: ---- cacti-1.2.30+git233.9b67d5e98.obscpio cacti-1.2.30+git233.9b67d5e98.tar.gz New: ---- cacti-1.2.30+git306.82d5aef5.obscpio cacti-1.2.30+git306.82d5aef5.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cacti.spec ++++++ --- /var/tmp/diff_new_pack.cTWq6c/_old 2026-04-22 16:59:59.612987057 +0200 +++ /var/tmp/diff_new_pack.cTWq6c/_new 2026-04-22 16:59:59.612987057 +0200 @@ -32,7 +32,7 @@ %bcond_with systemd %endif Name: cacti -Version: 1.2.30+git233.9b67d5e98 +Version: 1.2.30+git306.82d5aef5 %global base_version %(echo %{version} | sed 's/+[^+]*//') %global next_base_version %(echo %{base_version} | awk -F. -v OFS=. '{$NF++; print}') Release: 0 ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.cTWq6c/_old 2026-04-22 16:59:59.728991857 +0200 +++ /var/tmp/diff_new_pack.cTWq6c/_new 2026-04-22 16:59:59.740992353 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/Cacti/cacti.git</param> - <param name="changesrevision">9b67d5e98f9d57208d36526cc0115b61d815c98e</param></service></servicedata> + <param name="changesrevision">82d5aef554c91cebe0e64430991b1ca8ef2c1b3c</param></service></servicedata> (No newline at EOF) ++++++ cacti-1.2.30+git233.9b67d5e98.obscpio -> cacti-1.2.30+git306.82d5aef5.obscpio ++++++ ++++ 12061 lines of diff (skipped) ++++++ cacti-1.2.30+git233.9b67d5e98.tar.gz -> cacti-1.2.30+git306.82d5aef5.tar.gz ++++++ /work/SRC/openSUSE:Factory/cacti/cacti-1.2.30+git233.9b67d5e98.tar.gz /work/SRC/openSUSE:Factory/.cacti.new.11940/cacti-1.2.30+git306.82d5aef5.tar.gz differ: char 12, line 1 ++++++ cacti.obsinfo ++++++ --- /var/tmp/diff_new_pack.cTWq6c/_old 2026-04-22 17:00:07.705321922 +0200 +++ /var/tmp/diff_new_pack.cTWq6c/_new 2026-04-22 17:00:07.749323743 +0200 @@ -1,5 +1,5 @@ name: cacti -version: 1.2.30+git233.9b67d5e98 -mtime: 1772048275 -commit: 9b67d5e98f9d57208d36526cc0115b61d815c98e +version: 1.2.30+git306.82d5aef5 +mtime: 1776391116 +commit: 82d5aef554c91cebe0e64430991b1ca8ef2c1b3c
