Bug 43054

Summary:	unsecure remote resource loading in css
Product:	UCS	Reporter:	Nico Stöckigt <stoeckigt>
Component:	UMC (Generic)	Assignee:	Jürn Brodersen <brodersen>
Status:	CLOSED FIXED	QA Contact:	Alexander Kläser <klaeser>
Severity:	normal
Priority:	P5	CC:	best, brodersen
Version:	UCS 4.1
Target Milestone:	UCS 4.1-4-errata
Hardware:	Other
OS:	Linux
What kind of report is it?:	Security Issue	What type of bug is this?:	---
Who will be affected by this bug?:	---	How will those affected feel about the bug?:	---
User Pain:		Enterprise Customer affected?:
School Customer affected?:		ISV affected?:
Waiting Support:		Flags outvoted (downgraded) after PO Review:
Ticket number:	2016112521000141	Bug group (optional):	Security
Max CVSS v3 score:
Bug Depends on:
Bug Blocks:	43055
Attachments:	Patchfile for the umc.css

Description Nico Stöckigt

2016-11-25 13:30:56 CET

Created attachment 8243 [details]
Patchfile for the umc.css

In file /usr/share/univention-management-console-frontend/js/dijit/themes/umc/umc.css line 10692 there is a css backround attribute which loads an image from demo.univention.de which is used for statistics. Unfortunately this image is loaded via http instead https so it will break the secure context of the website.

Attached there is a Patchfile to correct that behavior in a productive environment.

Comment 1 Florian Best

2016-11-25 13:58:59 CET

I already created a bug for this somewhen but can't find it. It is wrong that we use demo.univention.de at all. The image should be the local file. It was a typo during development svn r68703 / Bug #38622.

Comment 2 Jürn Brodersen

2016-11-30 15:44:31 CET

r74836: Use local resource for mobile menu background image
Package: univention-management-console-frontend-theme
Version: 1.0.4-9.119.201611301539
Branch: ucs_4.1-0
Scope: errata4.1-4

r74838: yaml

Comment 3 Florian Best

2016-11-30 15:50:21 CET

Please merge to UCS 4.2.
The package changed to univention-web.

Comment 4 Jürn Brodersen

2016-11-30 16:03:21 CET

(In reply to Florian Best from comment #3)
> Please merge to UCS 4.2.
> The package changed to univention-web.

r74841

Comment 5 Florian Best

2016-11-30 16:06:08 CET

(In reply to Florian Best from comment #1)
> I already created a bug for this somewhen but can't find it. It is wrong
> that we use demo.univention.de at all. The image should be the local file.
> It was a typo during development svn r68703 / Bug #38622.

Ahh, I already fixed this in UCS 4.2 during Bug #42228 in svn r72272.

Comment 6 Jürn Brodersen

2016-11-30 16:14:25 CET

(In reply to Florian Best from comment #5)
> (In reply to Florian Best from comment #1)
> > I already created a bug for this somewhen but can't find it. It is wrong
> > that we use demo.univention.de at all. The image should be the local file.
> > It was a typo during development svn r68703 / Bug #38622.
> 
> Ahh, I already fixed this in UCS 4.2 during Bug #42228 in svn r72272.

For UCS 4.2:
All other images use relative url (at least in this file). This one is now relative, too.
r74842: Better changelog entry

Comment 7 Alexander Kläser

2016-11-30 19:22:19 CET

Change: OK.
YAML file: OK.
Merge to 4.2-0: OK

→ VERIFIED

Comment 8 Janek Walkenhorst

2016-12-01 16:27:15 CET

<http://errata.software-univention.de/ucs/4.1/350.html>