(net/cacti) Updated 1.2.7 to 1.2.11

1.2.11
-security#1566: Add SameSite support for cookies
-security#1985: Cookie should be properly verified against password
-security#3342: CSRF at Admin Email
-security#3343: Improper Access Control on disabling a user.
-security#3414: Update to jQuery 3.4.1 to resolve XSS issues with jQuery 3.3.1
-issue#2265: When attempting to save Graph field, query_ifSpeed is not properly validated
-issue#2400: Allow ability to duplicate site settings
-issue#2428: Make plugins non-case sensitive for folder names, whilst allowing nicer display names
-issue#2580: When running DSSTATS, system isn't properly detecting that another is already running
-issue#2853: Discovered Devices filtering do not include snmp description or name
-issue#3231: Allow user to unlock a tree that has been locked for editing by another
-issue#3237: Report gets resent every poller cycle
-issue#3247: Language source files do not update "PO-Revision-Date" attribute
-issue#3261: Automation rules aren't run for new devices on remote data collectors
-issue#3296: Bad PHP memory limit values can result in failed upgrades
-issue#3299: When using php-snmp and setting SNMPv3, warning is now shown as library does not support it properly
-issue#3303: When installing under Windows OS, path expansion is not converted to PHP required format
-issue#3310: When using 32-bit OS, automation errors can be seen due to subnet mask calculations
-issue#3312: Console menu does not auto-expand for graph item editor page
-issue#3313: When installing, multiple issues can be seen due to bad packages
-issue#3314: Script Server has invalid debug code left in
-issue#3317: Warnings can appear from CSRF Magic library due to multiple token values being found
-issue#3319: Errors can occur upgrading from 0.8.x due to incorrectly detected data source profile id
-issue#3322: When searching for LDAP accounts, allow recursive searching
-issue#3330: Packages that are not properly formatted can cause installation issues
-issue#3334: When upgrading from 0.8.x Automation SNMP Options should be populated
-issue#3335: Unable to hide Device based Aggregate Graphs on Tree
-issue#3336: Plugins need the ability to relax some content security policies in order to work properly
-issue#3340: Undefined variable warning can appear when using 95th percentile graphs
-issue#3341: MoTranslator does not appear to be handing null values properly
-issue#3345: When attempting to refresh datetime picker, unexpected results can appear
-issue#3346: When attempting to rewrite octet strings, extra space breaks pattern matching
-issue#3348: When attempting to handle Orphans and/or Sync Graphs, results are not as expected
-issue#3349: Prevent setting the PHP variable max_input_vars since it is read only
-issue#3350: When editing a data source template, inconsistent results can be seen due to database query
-issue#3355: When viewing raw graph data via the GUI, values are not always calculated correctly
-issue#3357: Tree Search textbox resizes to 0 in some cases
-issue#3360: When using guest accounts, after several timeouts result in refreshes, guest becomes logged out
-issue#3363: The current user and user group permissions pages are not responsive
-issue#3367: When Data Queries timeout, data is removed from the Host SNMP Cache table causing issues
-issue#3368: Saving a Graph Template Item fails due to missing includes
-issue#3373: When logging in via LDAP, ActiveDirectory would sometimes report insufficient access
-issue#3375: When polling more often than default period of collecting data, distribution of collected data was not occurring
-issue#3376: Improve speed when recovering from a poller from offline state
-issue#3378: When attempting to check whether to include MoTranslator, typo makes it appear unavailable
-issue#3380: php error when trigger threshold sendmail
-issue#3386: Second data collector shows as running when its has no items to gather
-issue#3387: Minor corrections to CSRF Magic
-issue#3388: Naming of CLI programs does not always match name used within syntax usage advice
-issue#3390: Incorrect breadcrumb bar if current tab is not "Graphs"
-issue#3402: Cacti scores low on performance audit on lighthouse audit
-issue#3408: CSRF Secret path is not passed properly when attempting to initialize secret
-issue#3409: Issues with navigation link activations to other base Cacti pages
-issue#3410: Zoom looses focus in advanced mode while crossing chart border
-issue#3411: When upgrading a primary server, full synchronization is not happening as expected
-issue#3412: When upgrading a primary server, automation templates are removed
-issue#3413: When upgrading and choosing to upgrade your packages, installer finishes without package data in log
-feature#1551: Allow system uptime to be a variable for use with graphs
-feature#1990: Plugin Realm should have a 'role' to help maintain changes between plugins
-feature#2110: Add Refresh Interval to Data Collectors display
-feature#2156: Add Location based filtering
-feature#2236: Allow for Purging of Data Source Statistics from the GUI
-feature#2268: Restore ability to duplicate a data profile
-feature#2534: Enhance table navigation bars to support systems with larger number of items
-feature#2688: Increase length of Graph Item 'value' field to support pango-markup better
-feature#3304: Allow Basic Auth Accounts to be mapped by CSV file
-feature#3366: Make form elements under checkbox_groups flow using flex grid style
-feature#3374: Set the domain attribute to secure cookies for the 'remember me' option
-feature#3403: Enhance the "Graph Debug Mode" to display RRDtool Command lengths and excess warnings

1.2.10
-security#3285: When guest users have access to realtime graphs, remote code could be executed (CVE-2020-8813)
-issue#3240: When using User Domains, global template user is used instead of the configured domain template user
-issue#3245: Unix timestamps after Sep 13 2020 are rejected as graph start/end arguments
-issue#3246: When upgrading with remote collectors, sync status does not always return properly
-issue#3250: When PHP memory limit is set to -1, recommendation value fails
-issue#3253: Upgrade can stall when checking permissions on csrf-secret.php
-issue#3254: Installer shows script owner rather than running user for suggested chown command
-issue#3266: When setting User Groups to 'Defer to the User', setting can lead to user being told they have no permissions
-issue#3269: When searching Graphs under a Chinese language, an unexpected error as sometimes shown
-issue#3274: When editing a tree, multiple device drag/drop does not work
-issue#3276: When spine aborts, script server can be left wanting or generating unnecessary logs
-issue#3277: When boost does not find an initial time, numeric errors can be raised
-issue#3281: When changing Graph Template options, incorrect image format may be selected
-issue#3282: Graph's can be sized incorrectly if image is SVG format
-issue#3283: When setting a file path, valid characters not recognised properly
-issue#3287: When using graph template 'Cacti Stats - User Logins', an incorrect count of invalid users can be seen
-issue#3288: When on Device page, pressing 'Go' on the filter caused Device New menu pick to appear
-issue#3289: When using CMD.PHP, poller id is not always shown properly
-issue#3290: When using CMD.PHP, inconsistent device logging levels may occur
-issue#3298: When initialising fields in JavaScript, text/textarea elements have width set to zero if it is hidden by parent
-issue#3302: Editing a Graph Template does not show the Data Template name

1.2.9
-security#3191: Lack of escaping on some pages can lead to XSS exposure (CVE-2020-7106)
-security#3201: Remote Code Execution due to input validation failure in Performance Boost Debug Log (CVE-2020-7237)
-issue#2937: Devices still show in lists despite being deleted
-issue#3038: When editing an aggregate on smaller screens, layout may not be correct
-issue#3136: Upgrade may fail between 1.2.7 and 1.2.8 if incompatible database format used
-issue#3142: Chrome sets graphs tree navigation view to width 0px
-issue#3146: Unable to create aggregate graphs on new installations
-issue#3149: After refresh of page, tooltips stop working
-issue#3150: When using Time Graph View, Zooming can cause errors
-issue#3151: Passing glue string after array is deprecated in PHP 7.4
-issue#3155: Aggregate does not correctly follow color template when reordered
-issue#3156: On new installs, gprint_format was missing from table aggregate_graphs
-issue#3157: Back button not working properly with Classic theme
-issue#3158: Classic theme show only 3 tabs on mobile device. Don't show Console menu
-issue#3159: PHP Memory is not correctly identified when value is not in megabytes
-issue#3161: When the poller_output_boost table is missing, recreate it before a poller run
-issue#3163: When using RPMlint, Free Software Foundation address is shown to be incorrect
-issue#3165: Zoom looses its focus after all graphs on page rendered
-issue#3166: When changing zoom level, graphs are resized inappropriately at the end
-issue#3167: Installer should initialize the csrf-secret.php file automatically
-issue#3168: sqltable_to_php.php script does not pick up row_format
-issue#3177: Remove legacy plugin hook that presents potential 3rd party security issues
-issue#3178: The change password page is not displaying the rules
-issue#3180: Receiving undefined index errors when working with some Data Queries
-issue#3181: When configuration file is unreadable, Cacti shows database connection errors if non defaults are needed
-issue#3182: When a database connection error occurs, there is no way to report actual error
-issue#3184: Improve program path detection by using system path and PHP_BINDIR
-issue#3193: Starting with MySQL 5.7 some sql_mode variables are required for some plugins
-issue#3196: Minimize use of eval() in JavaScript due to emerging Content-Security-Context guidelines
-issue#3200: Unable to mass change Graph Template image format in mass
-issue#3206: Converted aggregate graph cannot be edited
-issue#3209: Error occurs when Creating New Graphs through Automatically Added Devices using Sync Device Template
-issue#3216: When editing a Data Source Profile size is shown as 'N/A'
-issue#3224: When removing graphs by command line, regex is not properly validated when empty
-issue#3225: Unable to Import Templates due to invalid dependency hash
-issue#3226: When processing secpass login, failed logins are not recorded
-issue#3228: Login page does not remember the last realm used by user
-issue#3232: When editing HRULE and VRULE items, color selector was not presented
-issue#3233: When working with non-templated graphs, it can be difficult to determine what items represent
-issue#3235: Transient errors may occur with table poller_output_boost_arch

1.2.8
-security#3025: CVE-2019-17357 When viewing graphs, some input variables are not properly checked (SQL injection possible)
-security#3026: CVE-2019-17358 When deserializating data, ensure basic sanitization has been performed
-security#3066: When using HTTPS, secure cookie to prevent potential weakness
-issue#1228: Any tree or branch with a long name force main content off screen
-issue#2133: Long snmp_indexes are being cut off
-issue#2888: Long hostnames cause template filter to go off page
-issue#2987: Changing Color Template does not update Aggregate
-issue#2989: Allow Remote Data Collectors to maintain their own path variables
-issue#2991: Cacti Statistics device template can generate unexpected errors
-issue#2995: When editing a report, column setting may be ignored incorrectly
-issue#2996: When editing a user, graph options do not properly reflect previously saved settings
-issue#2998: Session performance issues due to excessive use for database storage
-issue#2999: Blank arguments can lead to extra spaces in script arguments
-issue#3006: Boost generates undefined variables warning during poller run
-issue#3011: i18n logging does not check write permission exists
-issue#3012: When viewing realtime graphs, some input variables are not properly checked
-issue#3013: Allow legends to be modified for Aggregate Graphs
-issue#3017: Automation network range with spaces fails validation
-issue#3019: User selected language is not always adhered to
-issue#3021: Tree view cuts off at the bottom of page on modern theme
-issue#3023: When clicking highlighted tab, side panel is not always shown/hidden correctly
-issue#3027: Aggregate Graph re-ordering does not work
-issue#3028: When zooming a graph, unable to reach edge of graph without losing focus
-issue#3030: Pace continues to run even after a page is finished rendering
-issue#3032: Graphs may select MAX instead of AVERAGE as consolidation function even if there is no item with MAX present.
-issue#3035: When editing a tree, can not remove entries due to CSS bug
-issue#3037: When emptying poller output using cli, debug functions are not properly included
-issue#3039: Allow packagers to be able to specify an alternate location of csrf-secret.php file
-issue#3040: When running automation, discovery can still run even if cancelled
-issue#3041: When running automation, scans do not always respond to being cancelled
-issue#3042: When running automation, scan can fail when selecting remote pollers
-issue#3045: When viewing Aggregate Graphs, an error due to undefined referrer may occur
-issue#3047: When saving settings, ignore remote pollers who have not checked in recently
-issue#3050: When viewing graph trees, some input variables are not properly checked
-issue#3052: When editing CDEF's, slow database performance can occur
-issue#3053: When viewing graph thumbnails, some input variables are not properly checked
-issue#3055: During install/upgrade, database tests are not performed correctly
-issue#3059: When using nth_percentile, correct value is not always returned if using MAX consolidation
-issue#3060: When upgrading from older MySQL databases, format is not changed from compact to dynamic
-issue#3061: When running automation, allow SNMP to be used as a ping method
-issue#3068: When administrating users, some input variables are not properly checked
-issue#3070: Improve database logging when a crashed table is encountered
-issue#3073: Automation network range does not always produce the correct start/end values
-issue#3078: When viewing graph debug from remote data collector, File Not Found warnings can appear incorrectly
-issue#3079: Allow domain names to be stripped from a device's long description
-issue#3080: Remote Agent throws warnings that graph_nolegend has not been sanitized
-issue#3085: When editing a poller, ensure each listening IP is unique
-issue#3081: External Links are not showing a glyph when they appear on the Console menu
-issue#3089: When viewing graphs in realtime, undefined variable can be logged for 95th Percentile graphs
-issue#3099: Graph template 'Linux - Memory Usage' has the wrong unit on its vertical_label
-issue#3101: Polling times can be slightly inconsistent due
-issue#3104: When viewing graphs, a byref error can be seen in the error logs
-issue#3105: When viewing hosts, some input variables are not properly checked
-issue#3111: When adding devices via command line, bad SNMP versions are not reported
-issue#3112: When zooming on Graphs, too many requests are being made causing slowness
-issue#3114: Support for USB devices that change name due to their hosts restarting
-issue#3118: When converting tables, the dynamic row format should be selected
-issue#3119: Main Data Collector should perform a Full Sync whenever it is installed/upgraded
-issue#3120: Correct issues causing incompatibility with PHP 7.4
-issue#3121: When converting tables during install, show what will be changed
-issue#3123: Named colors table is not properly imported/upgraded
-issue#3124: When a second data collector is added, boost is not enabled automatically
-issue#3128: i18n handler checks for existence of wrong mo file
-issue#3129: Logout repeated occurs even when already logged out
-issue#3132: Installer fails to continue if automation range is array of networks
-issue#3098: Support percent sign(%) in graph gprint item like legend area.
-feature#3077: Allow disabling remote poller resource cache replication to support upgrade testing

4 files changed, 28 insertions, 20 deletions

diff --git a/net/cacti/Makefile b/net/cacti/Makefile
index e0841e70be2..f180caa3537 100644
--- a/net/cacti/Makefile
+++ b/net/cacti/Makefile
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.46 2020/04/21 13:42:52 mef Exp $
+# $NetBSD: Makefile,v 1.47 2020/04/21 13:55:21 mef Exp $
 
-DISTNAME=	cacti-1.2.7
+DISTNAME=	cacti-1.2.11
 CATEGORIES=	net
 MASTER_SITES=	https://www.cacti.net/downloads/
 
diff --git a/net/cacti/PLIST b/net/cacti/PLIST
index 6f3d4042455..7b383369b3c 100644
--- a/net/cacti/PLIST
+++ b/net/cacti/PLIST
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.10 2020/04/21 13:42:52 mef Exp $
+@comment $NetBSD: PLIST,v 1.11 2020/04/21 13:55:21 mef Exp $
 bin/cacti-poller
 share/cacti/CHANGELOG
 share/cacti/LICENSE
@@ -113,6 +113,7 @@ share/cacti/docs/Graphs.html
 share/cacti/docs/How-To-Data-Query-Templates.html
 share/cacti/docs/How-To-Determine-Template-Version.html
 share/cacti/docs/How-To-SSH-Tunnels.html
+share/cacti/docs/How-To-Setup-Remote-Pollers.html
 share/cacti/docs/How-to-Graph-Your-Network.html
 share/cacti/docs/How-to-Graph-a-Custom-Collection-Script.html
 share/cacti/docs/Import-Template.html
@@ -130,6 +131,7 @@ share/cacti/docs/Plugin-Reference.html
 share/cacti/docs/Plugins.html
 share/cacti/docs/Principles-of-Operation.html
 share/cacti/docs/RRDTool-Specific-Features.html
+share/cacti/docs/RRDproxy.html
 share/cacti/docs/Requirements.html
 share/cacti/docs/SNMP-Data-Queries-Walkthrough.html
 share/cacti/docs/SNMP-New-Data-Query-Walkthrough.html
@@ -595,6 +597,7 @@ share/cacti/include/content/basic-example.html
 share/cacti/include/content/iframe-example.html
 share/cacti/include/content/index.php
 share/cacti/include/content/php-example.html
+share/cacti/include/csrf.php
 share/cacti/include/fa/css/fontawesome.css
 share/cacti/include/fa/css/index.php
 share/cacti/include/fa/index.php
@@ -789,7 +792,6 @@ share/cacti/include/js/jquery.cookie.js
 share/cacti/include/js/jquery.dropdown.js
 share/cacti/include/js/jquery.hotkeys.js
 share/cacti/include/js/jquery.js
-share/cacti/include/js/jquery.metadata.js
 share/cacti/include/js/jquery.multiselect.filter.js
 share/cacti/include/js/jquery.multiselect.js
 share/cacti/include/js/jquery.sparkline.js
@@ -1150,9 +1152,10 @@ share/cacti/include/vendor/cldr-to-gettext-plural-rules/src/cldr-data/supplement
 share/cacti/include/vendor/cldr-to-gettext-plural-rules/tests/Get/GetTest.php
 share/cacti/include/vendor/cldr-to-gettext-plural-rules/tests/Rules/RulesTest.php
 share/cacti/include/vendor/cldr-to-gettext-plural-rules/tests/bootstrap.php
-share/cacti/include/vendor/csrf/LICENSE
-share/cacti/include/vendor/csrf/NEWS
-share/cacti/include/vendor/csrf/README
+share/cacti/include/vendor/csrf/LICENSE.txt
+share/cacti/include/vendor/csrf/NEWS.md
+share/cacti/include/vendor/csrf/README.md
+share/cacti/include/vendor/csrf/csrf-conf.php
 share/cacti/include/vendor/csrf/csrf-magic.js
 share/cacti/include/vendor/csrf/csrf-magic.php
 share/cacti/include/vendor/csrf/index.php
@@ -1937,6 +1940,7 @@ share/cacti/include/vendor/phpmailer/composer.json
 share/cacti/include/vendor/phpmailer/get_oauth_token.php
 share/cacti/include/vendor/phpmailer/index.php
 share/cacti/include/vendor/phpmailer/language/index.php
+share/cacti/include/vendor/phpmailer/language/phpmailer.lang-af.php
 share/cacti/include/vendor/phpmailer/language/phpmailer.lang-am.php
 share/cacti/include/vendor/phpmailer/language/phpmailer.lang-ar.php
 share/cacti/include/vendor/phpmailer/language/phpmailer.lang-az.php
@@ -2091,10 +2095,12 @@ share/cacti/install/upgrades/1_1_7.php
 share/cacti/install/upgrades/1_1_8.php
 share/cacti/install/upgrades/1_2_0.php
 share/cacti/install/upgrades/1_2_1.php
+share/cacti/install/upgrades/1_2_11.php
 share/cacti/install/upgrades/1_2_2.php
 share/cacti/install/upgrades/1_2_3.php
 share/cacti/install/upgrades/1_2_5.php
 share/cacti/install/upgrades/1_2_7.php
+share/cacti/install/upgrades/1_2_8.php
 share/cacti/install/upgrades/index.php
 share/cacti/lib/aggregate.php
 share/cacti/lib/api_aggregate.php
@@ -2242,6 +2248,7 @@ share/cacti/rra/.htaccess
 share/cacti/rrdcleaner.php
 share/cacti/script_server.php
 share/cacti/scripts/3com_cable_modem.pl
+share/cacti/scripts/cacti_user_stats.php
 share/cacti/scripts/diskfree.pl
 share/cacti/scripts/diskfree.sh
 share/cacti/scripts/freebsd_memory.pl
diff --git a/net/cacti/distinfo b/net/cacti/distinfo
index 51db39bd58b..074696293c7 100644
--- a/net/cacti/distinfo
+++ b/net/cacti/distinfo
@@ -1,14 +1,14 @@
-$NetBSD: distinfo,v 1.11 2020/04/21 13:42:52 mef Exp $
+$NetBSD: distinfo,v 1.12 2020/04/21 13:55:22 mef Exp $
 
-SHA1 (cacti-1.2.7.tar.gz) = ed2b24c0443d573ecba8686764fb1fd5f2dbb95c
-RMD160 (cacti-1.2.7.tar.gz) = d9a231d07f9994b1213bee326068836bff77bdba
-SHA512 (cacti-1.2.7.tar.gz) = 2fc31342aa23b4fa98e6f3cf6b7e42f8cf98f272232a1bceb1b256b2104ea26445c1be1c1ff83bf20d293a3c1e7a21eb3a871623f78069aea9b21151ac57a243
-Size (cacti-1.2.7.tar.gz) = 24819135 bytes
+SHA1 (cacti-1.2.11.tar.gz) = 8a9893b72b7960dbe39d45c40f573769156a4fc6
+RMD160 (cacti-1.2.11.tar.gz) = ed0aab796d58a1781d7c5fe6195b61ef63d065fe
+SHA512 (cacti-1.2.11.tar.gz) = ab8a856fde55f405314fe0ec1eccccfb78105181fc081dcc04091963b08777550182867b45daea4f630f19dbb538ad7ca5c62f2dac9cd867524dfef113e2a220
+Size (cacti-1.2.11.tar.gz) = 25099698 bytes
 SHA1 (patch-cacti.sql) = 7bdfe92fc5254762ec4f75019ca380754f5867d5
 SHA1 (patch-cli_install__cacti.php) = 76d6fc73607902d1863fdc54c4c98171c2817454
 SHA1 (patch-include_global.php) = c115a912c63617a4821690829b46ba7350e03c6b
 SHA1 (patch-include_global__settings.php) = e65425a6564541aa578366454a6a4cd5f8db3afc
-SHA1 (patch-install_functions.php) = dcfc37ca08fdd32b779c1f490bf1ef0bb3f7dc9e
+SHA1 (patch-install_functions.php) = 94847ef9325caeae2d8da6d8ca4af376e0b5c9e7
 SHA1 (patch-lib_clog__webapi.php) = f17084d66ef21c4315547c389da6d94795ceeed8
 SHA1 (patch-lib_functions.php) = c29ce98afd2a865d3f307b25003af10bc9e8b13e
 SHA1 (patch-lib_installer.php) = 8406eb68e394b993246519188ecce9300a173c85
diff --git a/net/cacti/patches/patch-install_functions.php b/net/cacti/patches/patch-install_functions.php
index 81e22325313..87429b43853 100644
--- a/net/cacti/patches/patch-install_functions.php
+++ b/net/cacti/patches/patch-install_functions.php
@@ -1,14 +1,14 @@
-$NetBSD: patch-install_functions.php,v 1.2 2020/04/21 13:42:52 mef Exp $
+$NetBSD: patch-install_functions.php,v 1.3 2020/04/21 13:55:22 mef Exp $
 
 Find utilites in PREFIX first.
 Make log directory configurable by package variable
 
---- install/functions.php.orig	2019-09-30 03:36:29.000000000 +0900
-+++ install/functions.php	2020-04-21 22:16:27.694372184 +0900
-@@ -298,8 +298,8 @@ function find_best_path($binary_name) {
- 		);
- 	} else {
- 		$search_paths = array(
+--- install/functions.php.orig	2020-04-06 11:14:20.000000000 +0900
++++ install/functions.php	2020-04-21 22:46:24.419734842 +0900
+@@ -374,8 +374,8 @@ function find_search_paths($os = 'unix')
+ 		$search_suffix = ':';
+ 		$search_slash  = '';
+ 		$search_paths  = array(
 -			'/bin',
 -			'/sbin',
 +			'@PREFIX@/bin',
@@ -101,3 +101,4 @@ Make log directory configurable by package variable
 +		file_put_contents('@CACTI_LOGDIR@' . '/install-complete.log', sprintf($format_log2, $day, $time, $sectionname, $levelname, $data, PHP_EOL), $flags);
  	}
  }
+