Author: Paul Gevers
Revision Date: 2015-08-03 19:58:53 UTC

* Update loadavg_multi_locale_friendly.patch (Closes: #793401)
* Add missing manual.css (Closes: #783416)
* Fix d/rules override_dh_*configure target (Wasn't ever run,
  althought that wasn't too bad until now)

Author: Paul Gevers
Revision Date: 2015-08-03 19:58:53 UTC

* Update loadavg_multi_locale_friendly.patch (Closes: #793401)
* Add missing manual.css (Closes: #783416)
* Fix d/rules override_dh_*configure target (Wasn't ever run,
  althought that wasn't too bad until now)

Author: Marc Deslauriers
Revision Date: 2015-07-23 10:04:32 UTC

fake sync from Debian

Author: Marc Deslauriers
Revision Date: 2015-07-23 10:04:32 UTC

fake sync from Debian

Author: Steve Beattie
Revision Date: 2015-06-30 10:23:46 UTC

fake sync from Debian (LP: #1210822)

Author: Paul Gevers
Revision Date: 2015-06-27 14:25:12 UTC

* Security update (LP: #1210822):
  - CVE-2015-2665 Cross-site scripting (XSS) vulnerability in Cacti
    before 0.8.8d allows remote attackers to inject arbitrary web script
    or HTML via unspecified vectors.
  - CVE-2015-4342 SQL Injection and Location header injection from cdef
    id
  - CVE-2015-4454 SQL injection vulnerability in the
    get_hash_graph_template function in lib/functions.php in Cacti before
    0.8.8d allows remote attackers to execute arbitrary SQL commands via
    the graph_template_id parameter to graph_templates.php.
  - Unassigned CVE SQL injection VN:JVN#78187936 / TN:JPCERT#98968540
  - CVE-2014-5261 Unsufficient input sanitation leads to shell command
    injection possibilities
  - CVE-2014-5262 Incomplete and incorrect input parsing leads to SQL
    injection attack scenarios
  - CVE-2014-5025 Cross Site Scripting Vulnerability
  - CVE-2014-5026 Cross Site Scripting Vulnerability
  - CVE-2014-5043 Cross Site Scripting Vulnerability
  - CVE-2014-2327 Cross Site Request Forgery Vulnerability
  - CVE-2014-4002 Cross-Site Scripting Vulnerability

Author: Steve Beattie
Revision Date: 2015-06-30 10:23:46 UTC

fake sync from Debian (LP: #1210822)

Author: Paul Gevers
Revision Date: 2015-06-27 14:25:12 UTC

* Security update (LP: #1210822):
  - CVE-2015-2665 Cross-site scripting (XSS) vulnerability in Cacti
    before 0.8.8d allows remote attackers to inject arbitrary web script
    or HTML via unspecified vectors.
  - CVE-2015-4342 SQL Injection and Location header injection from cdef
    id
  - CVE-2015-4454 SQL injection vulnerability in the
    get_hash_graph_template function in lib/functions.php in Cacti before
    0.8.8d allows remote attackers to execute arbitrary SQL commands via
    the graph_template_id parameter to graph_templates.php.
  - Unassigned CVE SQL injection VN:JVN#78187936 / TN:JPCERT#98968540
  - CVE-2014-5261 Unsufficient input sanitation leads to shell command
    injection possibilities
  - CVE-2014-5262 Incomplete and incorrect input parsing leads to SQL
    injection attack scenarios
  - CVE-2014-5025 Cross Site Scripting Vulnerability
  - CVE-2014-5026 Cross Site Scripting Vulnerability
  - CVE-2014-5043 Cross Site Scripting Vulnerability
  - CVE-2014-2327 Cross Site Request Forgery Vulnerability
  - CVE-2014-4002 Cross-Site Scripting Vulnerability

Author: Paul Gevers
Revision Date: 2014-08-18 19:57:43 UTC

* CVE-2014-5261
  Unsufficient input sanitation leads to shell command injection
  possibilities
* CVE-2014-5262
  Incomplete and incorrect input parsing leads to SQL injection attack
  scenarios
* Fix for CVE-2014-5043 was incomplete, improve patch
* Change CVE-2014-4002 patch to include upstream updated commits

Author: Paul Gevers
Revision Date: 2014-08-18 19:57:43 UTC

* CVE-2014-5261
  Unsufficient input sanitation leads to shell command injection
  possibilities
* CVE-2014-5262
  Incomplete and incorrect input parsing leads to SQL injection attack
  scenarios
* Fix for CVE-2014-5043 was incomplete, improve patch
* Change CVE-2014-4002 patch to include upstream updated commits

Author: Paul Gevers
Revision Date: 2014-08-18 19:57:43 UTC

* CVE-2014-5261
  Unsufficient input sanitation leads to shell command injection
  possibilities
* CVE-2014-5262
  Incomplete and incorrect input parsing leads to SQL injection attack
  scenarios
* Fix for CVE-2014-5043 was incomplete, improve patch
* Change CVE-2014-4002 patch to include upstream updated commits

Author: Paul Gevers
Revision Date: 2014-04-06 19:59:12 UTC

Fix postinst for lighttpd setups which fail on update due to
lighty-enable-mod exiting with non-zero if config is already loaded
(Closes: 743727)

Author: Paul Gevers
Revision Date: 2014-04-06 19:59:12 UTC

Fix postinst for lighttpd setups which fail on update due to
lighty-enable-mod exiting with non-zero if config is already loaded
(Closes: 743727)

Author: Paul Gevers
Revision Date: 2013-08-27 20:43:21 UTC

* Fix Cross site scripting (upstream bug 2383)
  CVE-2013-5588
* Fix SQL injection in host.php (upstream bug 2383)
  CVE-2013-5589
* Fix upgrade script in cli directory for latest releases
* Automatically upgrade database during package update (prevents upstream
  bug 2377)
* The code to enable lighttpd configuration from LP: #1132415 was broken

Author: Paul Gevers
Revision Date: 2013-08-27 20:43:21 UTC

* Fix Cross site scripting (upstream bug 2383)
  CVE-2013-5588
* Fix SQL injection in host.php (upstream bug 2383)
  CVE-2013-5589
* Fix upgrade script in cli directory for latest releases
* Automatically upgrade database during package update (prevents upstream
  bug 2377)
* The code to enable lighttpd configuration from LP: #1132415 was broken

Author: Paul Gevers
Revision Date: 2013-04-01 08:03:11 UTC

Improve jquery tree patch to show trees multilevel (Closes: #702690)

Author: Paul Gevers
Revision Date: 2013-04-01 08:03:11 UTC

Improve jquery tree patch to show trees multilevel (Closes: #702690)

Author: Paul Gevers
Revision Date: 2012-07-18 13:55:19 UTC

* Fix regression in the CVE-2010-1645 update on error handling:
  "PHP Fatal error: Cannot use string offset as an array in
   /usr/share/cacti/site/lib/data_query.php on line 183" (LP: #914746)
  - debian/patches/LP914746_regression_lucid_string_offset_in_data_query.patch

Author: Paul Gevers
Revision Date: 2012-07-18 13:55:19 UTC

* Fix regression in the CVE-2010-1645 update on error handling:
  "PHP Fatal error: Cannot use string offset as an array in
   /usr/share/cacti/site/lib/data_query.php on line 183" (LP: #914746)
  - debian/patches/LP914746_regression_lucid_string_offset_in_data_query.patch

Author: Paul Gevers
Revision Date: 2012-05-21 20:22:18 UTC

Update postrm with new debconf answers (Closes: #673764)

Author: Mahyuddin Susanto
Revision Date: 2012-01-19 09:10:27 UTC

* debian/patches/01_config.php.patch: Backports from Debian git repos to
  fix while upgrade because /etc/cacti/debian.php has been rewrite.
  (Closes: #654352)
* debian/control:
  - Move apache2 to Recommends to allow cacti running to other webserver,
    and fcgi stuff to Depends. (LP: #544828)
  - Remove absolute packages: apache, apache-ssl, apache-perl

Author: Mahyuddin Susanto
Revision Date: 2011-12-20 16:01:16 UTC

* SECURITY UPDATE: FIX SQL injection in auth_login.php (LP: #906773)
  - debian/patches/CVE-2011-4824.patch: patch derived from upstream.
  - CVE-2011-4824

Author: Mahyuddin Susanto
Revision Date: 2011-12-20 15:52:09 UTC

* SECURITY UPDATE: FIX SQL injection in auth_login.php (LP: #906773)
  - debian/patches/CVE-2011-4824.patch: patch derived from upstream.
  - CVE-2011-4824

Author: Mahyuddin Susanto
Revision Date: 2011-12-20 15:46:56 UTC

* SECURITY UPDATE: FIX SQL injection in auth_login.php (LP: #906773)
  - debian/patches/CVE-2011-4824.patch: patch derived from upstream.
  - CVE-2011-4824

Author: Mahyuddin Susanto
Revision Date: 2011-12-20 16:01:16 UTC

* SECURITY UPDATE: FIX SQL injection in auth_login.php (LP: #906773)
  - debian/patches/CVE-2011-4824.patch: patch derived from upstream.
  - CVE-2011-4824

Author: Mahyuddin Susanto
Revision Date: 2011-12-20 15:46:56 UTC

* SECURITY UPDATE: FIX SQL injection in auth_login.php (LP: #906773)
  - debian/patches/CVE-2011-4824.patch: patch derived from upstream.
  - CVE-2011-4824

Author: Mahyuddin Susanto
Revision Date: 2011-12-20 15:52:09 UTC

* SECURITY UPDATE: FIX SQL injection in auth_login.php (LP: #906773)
  - debian/patches/CVE-2011-4824.patch: patch derived from upstream.
  - CVE-2011-4824

Author: Mahyuddin Susanto
Revision Date: 2011-12-20 22:39:36 UTC

* SECURITY UPDATE: FIX SQL injection in auth_login.php (LP: #906773)
  - debian/patches/CVE-2011-4824.patch: patch derived from upstream.
  - CVE-2011-4824

Author: Christian Perrier
Revision Date: 2011-06-29 06:57:56 UTC

* Non-maintainer upload.
* Fix pending l10n issues. Debconf translations:
  - French (Christian Perrier). Closes: #614903
  - German (Chris Leick). Closes: #619663
  - Russian (Yuri Kozlov). Closes: #623795
  - Indonesian (Mahyuddin Susanto). Closes: #623886
  - Japanese (Hideki Yamane). Closes: #624821
  - Danish (Joe Hansen). Closes: #625482
  - Dutch; (Luk Claes). Closes: #625529
  - Spanish; (Francisco Javier Cuadrado). Closes: #627032
  - Swedish (Martin Bagge / brother). Closes: #628928
  - Czech (Miroslav Kure). Closes: #631596
  - Basque (Ander Goñi). Closes: #631900
  - Portuguese (Rui Branco). Closes: #631982

Author: Sean Finney
Revision Date: 2010-08-17 22:22:02 UTC

* New upstream release (Closes: #592465).
* Update context in 05_no-adodb.patch to remove fuzz.
* Remove "official" patches from previous release.
* Remove 563955_undefined_index_local_data_id.patch, incorporated upstream.
* Remove CVE-2010-2092.patch, incorporated upstream.
* Import new batch of "official" upstream patches.
* Update apache configuration to work in FastCGI deployments (Closes: #593203).
   - thanks to Thijs Kinkhorst <thijs@uvt.nl> (Closes: #578909).

Author: Sean Finney
Revision Date: 2010-08-17 22:22:02 UTC

* New upstream release (Closes: #592465).
* Update context in 05_no-adodb.patch to remove fuzz.
* Remove "official" patches from previous release.
* Remove 563955_undefined_index_local_data_id.patch, incorporated upstream.
* Remove CVE-2010-2092.patch, incorporated upstream.
* Import new batch of "official" upstream patches.
* Update apache configuration to work in FastCGI deployments (Closes: #593203).
   - thanks to Thijs Kinkhorst <thijs@uvt.nl> (Closes: #578909).

Author: Sean Finney
Revision Date: 2010-01-24 21:39:46 UTC

* Import 2 new "official" patches from upstream
* Italian debconf translation
  - thanks to Alessandro De Zorzi <lota@nonlontano.it> (Closes: #548447)
* Fix for "Undefined index: local_data_id in graphs_new.php"
  - new debian patch 563955_undefined_index_local_data_id.patch
  - thanks to Teodor MICU <mteodor@gmail.com> (Closes: #563955)
* Fix for "must not RE-add /etc/apache2/conf.d/cacti.conf link on upgrade"
  - thanks to Patrick Schoenfeld <schoenfeld@debian.org> (Closes: #561477)
* Bump debhelper compatibility level to 5

Author: Emanuele Gentili
Revision Date: 2008-03-31 00:03:37 UTC

* Cacti frontend fails with 'Invalid PHP_SELF Path' (LP: #194687)
 + debian/patches/11_php_self_nonstandard_dir.dpatch

Author: Jamie Strandboge
Revision Date: 2008-04-05 08:21:27 UTC

debian/patches/11_CVE-2008-0783_CVE-2008-0784_regression.dpatch: fix
'Invalid PHP_SELF Path' regression (LP: #194687)

Author: Emanuele Gentili
Revision Date: 2008-08-14 23:50:30 UTC

* control/watch:
 + added debian watch file.

Author: Emanuele Gentili
Revision Date: 2008-08-14 23:50:30 UTC

* control/watch:
 + added debian watch file.

Author: Jamie Strandboge
Revision Date: 2008-04-05 08:33:00 UTC

debian/patches/12_CVE-2008-0783_CVE-2008-0784_regression.dpatch: fix
'Invalid PHP_SELF Path' regression (LP: #194687)

Author: Emanuele Gentili
Revision Date: 2008-03-31 01:03:10 UTC

* Merge from debian unstable (LP: #194190), remaining changes:
 + debian/rules
  - added cli directory to cp command
 + debian/control
  - Modify Maintainer value to match the DebianMaintainerField
    specification

Author: Emanuele Gentili
Revision Date: 2008-03-31 00:03:37 UTC

* Cacti frontend fails with 'Invalid PHP_SELF Path' (LP: #194687)
 + debian/patches/11_php_self_nonstandard_dir.dpatch

Author: Brian Thomason
Revision Date: 2009-02-05 00:16:46 UTC

* SECURITY UPDATE: (LP: #164072)
  + CVE-2007-6035: SQL injection vulnerability in Cacti before 0.8.7a allows
    remote attackers to execute arbitrary SQL commands via unspecified
    vectors.
  + CVE-2007-3112: Cacti 0.8.6i, and possibly other versions, allows remote
    authenticated users to cause a denial of service (CPU consumption) via a large
    value of the (1) graph_start or (2) graph_end parameter.
  + CVE-2007-3113: Cacti 0.8.6i, and possibly other versions, allows remote
    authenticated users to cause a denial of service (CPU consumption) via a large
    value of the (1) graph_height or (2) graph_width parameter.
* debian/patches/10_CVE-2007-6035.dpatch:
  - Applied patch by upstream (Based on patch by Stephan Hermann)
  - Link: http://www.cacti.net/downloads/patches/0.8.6j/sec_sql_injection-0.8.6j.patch
* debian/patches/10_CVE-2007-3112+CVE-2007-3113.dpatch:
  - Applied patch by upstream (Based on patch by Stephan Hermann)
  - Link: http://svn.cacti.net/cgi-bin/viewvc.cgi/cacti/branches/0.8.7/graph_image.php?r1=3898&r2=3956&view=patch
* References:
  CVE-2007-6035
  CVE-2007-3112
  CVE-2007-3113

Author: Steffen Joeris
Revision Date: 2007-08-03 19:27:17 UTC

* Non-maintainer upload with the permission of the maintainer
* Fix DoS caused by large values passed to the graph_height,
  graph_width, graph_start and graph_end parameter parameters
  (Closes: #429224) Fixes: CVE-2007-3112, CVE-2007-3113

Author: Jamie Strandboge
Revision Date: 2008-04-05 08:21:27 UTC

debian/patches/11_CVE-2008-0783_CVE-2008-0784_regression.dpatch: fix
'Invalid PHP_SELF Path' regression (LP: #194687)

Author: sean finney
Revision Date: 2007-01-15 15:36:25 UTC

* include the list of official patches from upstream which (among other
  things) resolves multiple vulnerabilities in the poller and default
  scripts (Closes: 404818). thanks to Alex de Oliveira Silva for reporting
  this, and Neil McGovern for a bit of consultation.
* security references:
  - SA23528, CVE-2006-6799
* also include one extra changeset from svn which fixes a regression
  introduced in the security patch.
* new patches:
  - 07_official_dec06-vulnerability-scripts-0.8.6i.dpatch
  - 07_official_dec06-vulnerability-poller-0.8.6i.dpatch
  - 07_official_poller_output_remainder.dpatch
  - 07_official_import_template_argument_space_removal.dpatch
  - 08_svn_timespan_breakage_fix.dpatch

Author: Jamie Strandboge
Revision Date: 2008-04-05 08:33:00 UTC

debian/patches/12_CVE-2008-0783_CVE-2008-0784_regression.dpatch: fix
'Invalid PHP_SELF Path' regression (LP: #194687)

Author: sean finney
Revision Date: 2006-04-25 19:30:50 UTC

* official patch from upstream to fix database corruption and display some
  users were having as a result of the differing version of adodb
  in debian vs. the bundled version in cacti. thanks to the upstream
  authors for their help addressing the issue, and to Rene Cunningham
  for testing out the initial version of the patch.
  (closes: #364391, #351342)
* added note to README.Debian about potential unmet dependencies in
  mixed php4/php5 environments (thanks to Uwe Storbeck), and also
  about checking the cli configuration for the required modules (thanks
  to Troy Poppe), and also about potential problems with the cli
  poller and safe_mode (thanks to Birger Brunswiek) (closes: #359964).
* update package description to mention that it's likely that mysql-server
  should also be installed unless cacti is to be configured against a
  remote database system (closes: #349754).
* added a note to README.Debian about the initial user/pass, at the
  suggestion of Jonas Genannt, thanks. (closes: #352724).
* changed package dependencies to list apache2 as the first of the
  series of apache-providing packages, and likewise reordered the
  php/apache modules (closes: #356843).
* updated version of 08_official-mysql_5x_strict.dpatch which fixes
  the breakage in ldap authentication reported by Matt Clauson, thanks.
  (closes: #354663)

Author: John Dong
Revision Date: 2006-08-29 18:17:32 UTC

Automated backport upload; no source changes.

Author: Brian Thomason
Revision Date: 2009-02-05 00:16:46 UTC

* SECURITY UPDATE: (LP: #164072)
  + CVE-2007-6035: SQL injection vulnerability in Cacti before 0.8.7a allows
    remote attackers to execute arbitrary SQL commands via unspecified
    vectors.
  + CVE-2007-3112: Cacti 0.8.6i, and possibly other versions, allows remote
    authenticated users to cause a denial of service (CPU consumption) via a large
    value of the (1) graph_start or (2) graph_end parameter.
  + CVE-2007-3113: Cacti 0.8.6i, and possibly other versions, allows remote
    authenticated users to cause a denial of service (CPU consumption) via a large
    value of the (1) graph_height or (2) graph_width parameter.
* debian/patches/10_CVE-2007-6035.dpatch:
  - Applied patch by upstream (Based on patch by Stephan Hermann)
  - Link: http://www.cacti.net/downloads/patches/0.8.6j/sec_sql_injection-0.8.6j.patch
* debian/patches/10_CVE-2007-3112+CVE-2007-3113.dpatch:
  - Applied patch by upstream (Based on patch by Stephan Hermann)
  - Link: http://svn.cacti.net/cgi-bin/viewvc.cgi/cacti/branches/0.8.7/graph_image.php?r1=3898&r2=3956&view=patch
* References:
  CVE-2007-6035
  CVE-2007-3112
  CVE-2007-3113

Author: Steve Kowalik
Revision Date: 2006-04-30 22:20:37 UTC

Install apache2 by default. (Malone: #29008)

Author: Brandon Hale
Revision Date: 2005-09-11 11:12:54 UTC

Migrate Depends: to php5

Author: Thorsten Sauter
Revision Date: 2004-09-11 00:18:12 UTC

Update pt_BR, nl debconf translations. (Closes: #270277, #270787)

Author: Thorsten Sauter
Revision Date: 2004-06-22 23:26:17 UTC

* Change package priority to extra.
* Change cronjob. The output of the poller job is now appended to the
  logfile
* Update french debconf translation: fr.po. (Closes: #253585)
* Add debconf translation: pt_BR.po. Don't know, which language
  this is :-) (Closes: #252021, #252017)
* Backport cacti cvs fix (#0000176) into debian version. This will fix
  compatiblity problem with the output of the df command and long device
  names. (Closes: #254856)

Author: Sean Finney
Revision Date: 2009-03-29 17:51:10 UTC

* Imported Upstream version 0.8.7d
* update/massage/remove patches for new upstream release
* import new "official" patches for 0.8.7d
* remove obsolete dependencies on php4 packages (Closes: #514342)
* update default apache config php options (Closes: #459594)
* add Homepage field to control file (Closes: #494811)
* add Suggests: php5-ldap for ldap authentication (Closes: #496854) -
  thanks to Paul Nijjar <paul_nijjar@yahoo.ca>
* call ucf with --debconf-ok in postinst
* copy cli directory to /usr/share/cacti (Closes: #483556)
* add gbp.conf for git-buildpackage and friends