Univention Bugzilla – Bug 52138
dojo 1.12.1: multiple issues (4.4)
Last modified: 2023-06-28 13:39:51 CEST
Debian Buster 10.6 contains a security update for this: | dojo [12] | Fix prototype pollution in deepCopy | | | method [CVE-2020-5258] and in jqMix | | | method [CVE-2020-5259] | <https://security-tracker.debian.org/tracker/DLA-2139-1> CVE-2020-5258 3.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) RedHat CVE-2020-5259 7.7 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N) CNA
In UCS-4.4 srcpkg:dojo-1.10.2 is unmaintained. In UCS-4.4 srcpkg:univention-dojo is used, which is based on dojo-release-1.12.4-src.tar.gz - it is affected: <https://security-tracker.debian.org/tracker/CVE-2020-5258> <https://github.com/dojo/dojo/security/advisories/GHSA-jxfh-8wgv-vfr2> <https://github.com/dojo/dojo/commit/20a00afb68f5587946dc76fbeaa68c39bda2171d> <https://security-tracker.debian.org/tracker/CVE-2020-5259> <https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw> <https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9da>
univention-web.yaml 4e74baa269b2 | chore(univention-web): update advisory univention-web (3.0.6-13) 87d9c0e8f083 | Bug #52138: integrate dojo patches for CVE-2020-5258, CVE-2020-5259 univention-dojo.yaml 4e74baa269b2 | chore(univention-web): update advisory univention-dojo (12.0.0-4) f9edda3b6f7d | Bug #52138: adjust patch hunks ae9dce0c91c0 | Bug #52138: add patches for CVE-2020-5258, CVE-2020-5259
https://github.com/dojo/dojo/commit/20a00afb68f5587946dc76fbeaa68c39bda2171d and https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9da were integrated. QA: # apt download univention-web-js=3.0.6-13 Holen:1 http://omar.knut.univention.de/build2 ucs_4.4-0-errata4.4-9/all/ univention-web-js 3.0.6-13 [10,4 MB] Es wurden 10,4 MB in 0 s geholt (50,4 MB/s). # dpkg -x univention-web-js_3.0.6-13_all.deb foo # grep __proto__ foo/usr/share/univention-web/js/dojo/request/util.js.uncompressed.js foo/usr/share/univention-web/js/dojox/jq.js.uncompressed.js foo/usr/share/univention-web/js/dojo/request/util.js.uncompressed.js: if(name !== '__proto__' && tval !== sval){ foo/usr/share/univention-web/js/dojox/jq.js.uncompressed.js: if(x !== '__proto__ ' && ((tobj[x] === undefined || tobj[x] != props[x])) && props[x] !== undefined && obj != props[x]){
QA: - patches contain the mentioned security updates: OK - univention-web-js=3.0.6-13 installable: OK - no tracebacks / erros related to changes in logfiles: OK - advisories: OK
<https://errata.software-univention.de/#/?erratum=4.4x1410> <https://errata.software-univention.de/#/?erratum=4.4x1410>