perfSONAR Announcements

[Jason Zurawski <>]

Greetings;

A patched version of the perfSONAR_PS-Toolkit package (v 3.3.2-15) is now 
available via yum.  This contains fixes for the aforementioned cacti CVEs.  
Netinstall users should apply this immediately, and LiveCD users can continue 
to use the workaround listed below.  

Please let us know if any questions;

-jason

On Apr 14, 2014, at 10:55 PM, Jason Zurawski 
<>
 wrote:

> Greetings;
> 
> The perfSONAR project was made aware of two CVEs related to the cacti 
> software.  More information is available by following these links:
> 
> https://access.redhat.com/security/cve/CVE-2014-2708
> https://access.redhat.com/security/cve/CVE-2014-2709
> 
> Users who have concerns about these bugs, in the interim before we can make 
> a fix available, can apply the following changes to their nodes to prevent 
> un-authenticated access to the data that cacti is collecting.  Note this 
> change works for both netinstall and live cd instances (and will survive a 
> reboot):
> 
> 1) As sudo or root user, edit 
> //etc/httpd/conf.d/apache-toolkit_web_gui.conf 
> 
> 2) Add this line (anywhere) in the file:
> 
>> RewriteRule ^/toolkit/gui/cacti(.*) 
>> https://%{SERVER_NAME}/toolkit/admin/cacti$1 [R,L]
> 
> 3) Restart apache (sudo /etc/init.d/httpd restart)
> 
> We will be working to create a patched version of cacti, and will advise 
> when a new package is available from our repositories for netinstall users. 
>  There are no plans to create a new LiveCD/LiveUSB image due to the 
> specific use case that cacti presents, as well as the availability of a 
> workaround listed above.  
> 
> Please relay any questions or concerns you may have to the developers 
> mailing list 
> ();
> 
> -jason