Univention Bugzilla – Full Text Bug Listing |
Summary: | univention-web / dojox: Security vulnerabiliy (4.3) | ||
---|---|---|---|
Product: | UCS | Reporter: | Philipp Hahn <hahn> |
Component: | UMC (Generic) | Assignee: | Ole Schwiegert <schwiegert> |
Status: | CLOSED FIXED | QA Contact: | Johannes Keiser <keiser> |
Severity: | normal | ||
Priority: | P2 | CC: | best, keiser, schwiegert |
Version: | UCS 4.3 | ||
Target Milestone: | UCS 4.3-2-errata | ||
Hardware: | All | ||
OS: | Linux | ||
What kind of report is it?: | Security Issue | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) | ||
Attachments: | patch |
Description
Philipp Hahn
2018-10-16 08:57:11 CEST
GitHub shows this unfixed security issue very proudly one the start-page of UCS: <https://github.com/univention/univention-corporate-server> AFAIK only for us internally, but still does look very bad. I could not determine any side effects when changing the version in package.json either. I read the git logs from version 1.12.2 to 1.12.4 and could not find any changed features, only bugfixes and some additional features in dojo mobile. I bumped the version of the dojo release used in univention-dojo from 1.12.2 to 1.12.4 and tested the UMC. I did not find any deviation from normal behavior. After I put the 1.12.4 release on our large build file mirror I apply the changes and prepare a new build for QA. Created attachment 9719 [details]
patch
Package: univention-dojo Version: 11.0.1-2A~4.3.0.201811070904 Branch: ucs_4.3-0 Scope: errata4.3-2 Package: univention-web Version: 2.0.0-27A~4.3.0.201811061018 Branch: ucs_4.3-0 Scope: errata4.3-2 I had to disable the ssl certificate check for wget in the Makefile of univention-dojo for the build to work. Since there is also a checksum check it should be fine, but if someone knows of a way we can get the certificate of updates.univention.de into our build env I would be happy to do so. (In reply to Ole Schwiegert from comment #4) > I had to disable the ssl certificate check for wget in the Makefile of > univention-dojo for the build to work. Since there is also a checksum check > it should be fine, but if someone knows of a way we can get the certificate > of updates.univention.de into our build env I would be happy to do so. $ curl -v -I https://updates.software-univention.de/download/large-build-files/dojo/dojo-release-1.12.4-src.tar.gz ... * issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Organization Validation Secure Server CA $ cat management/univention-web/debian/control ... Build-Depends: debhelper (>= 7.0.50~), ucslint-univention, univention-dojo, univention-dojo-dev, univention-config-dev, univention-management-console-dev, imagemagick, nodejs, librsvg2-bin, stylus, unzip, sed - sed can be removed as it is "Essential: yes" - wget should added as it is not build-essential - ca-certificates is missing: "wget Recommends: ca-certificates" only and Recommends are not installed to satisfy Build-Depends. Thanks for the help! Package: univention-dojo Version: 11.0.1-3A~4.3.0.201811071111 Branch: ucs_4.3-0 Scope: errata4.3-2 Added ca-certificates to build deps in univention-dojo and removed --no-check-certificate from Makefile again (In reply to Ole Schwiegert from comment #2) > I could not determine any side effects when changing the version in > package.json either. > > I read the git logs from version 1.12.2 to 1.12.4 and could not find any > changed features, only bugfixes and some additional features in dojo mobile. > > I bumped the version of the dojo release used in univention-dojo from 1.12.2 > to 1.12.4 and tested the UMC. I did not find any deviation from normal > behavior. > > After I put the 1.12.4 release on our large build file mirror I apply the > changes and prepare a new build for QA. Hi Ole, why did you update to 1.12.4 while the vulnerability is in <1.14? I think it should be upgraded to 1.14.1. The commit that fixes the vulnerability in question was backported to the 1.12 branch of dojo in my understanding: https://github.com/dojo/dojox/commit/6a402f7fb65bbb4655be1738249aa4ec799fb50d To introduce as little change as possible and keep the QA effort for this manageable we decided not to switch to a new major version for now. Are there any significant reasons to switch all the way to dojo 1.14 at the moment? The upgraded univention-dojo version is not in univention-web because univention-web was built after univention-dojo was built. Please make a version bump for univention-web Package: univention-web Version: 2.0.0-28A~4.3.0.201811221119 Branch: ucs_4.3-0 Scope: errata4.3-2 Version bump OK: security fix was backported to dojo 1.12.4. Version updated to 1.12.4. Fixes are present OK: No major changes since 1.12.1 OK: YAML -> verified |