Bug 43055

Summary: unsecure remote resource loading in css
Product: UCS Reporter: Nico Stöckigt <stoeckigt>
Component: UMC (Generic)Assignee: UMC maintainers <umc-maintainers>
Status: CLOSED WONTFIX QA Contact:
Severity: normal    
Priority: P5 CC: best
Version: UCS 4.0   
Target Milestone: UCS 4.0-x-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: Security Issue What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: 2016112521000141 Bug group (optional): Security
Max CVSS v3 score:
Bug Depends on: 43054    
Bug Blocks:    

Description Nico Stöckigt univentionstaff 2016-11-25 13:35:30 CET 
I think this should be "backported" to earlier versions...

+++ This bug was initially created as a clone of Bug #43054 +++

In file /usr/share/univention-management-console-frontend/js/dijit/themes/umc/umc.css line 10692 there is a css backround attribute which loads an image from demo.univention.de which is used for statistics. Unfortunately this image is loaded via http instead https so it will break the secure context of the website.

Attached there is a Patchfile to correct that behavior in a productive environment.
Comment 1 Florian Best univentionstaff 2016-11-25 14:03:32 CET 
UCS 4.0 is out of maintenance. This bug has no security impact.