Bug 47998

Summary: univention-web / dojox: Security vulnerabiliy (4.2)
Product: UCS Reporter: Philipp Hahn <hahn>
Component: UMC (Generic)Assignee: Ole Schwiegert <schwiegert>
Status: CLOSED FIXED QA Contact: Johannes Keiser <keiser>
Severity: normal    
Priority: P2 CC: damrose, keiser, schwiegert
Version: UCS 4.2   
Target Milestone: UCS 4.2-5-errata   
Hardware: All   
OS: Linux   
What kind of report is it?: Security Issue What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score: 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Description Philipp Hahn univentionstaff 2018-10-16 08:57:47 CEST 
All versions of univention-web since UCS-4.2 contain a vulnerable version of DojoX:

CVE-2018-15494: In Dojo Toolkit before 1.14, there is unescaped string injection in dojox/Grid/DataGrid

Debian fixed it for Jessie with <https://lists.debian.org/debian-lts-announce/2018/09/msg00002.html>, which is included in UCS-4.2-5, but univention-web contains its own unfixed version!

+++ This bug was initially created as a clone of Bug #47997 +++
Comment 1 Ole Schwiegert univentionstaff 2018-11-07 11:36:53 CET 
Package: univention-dojo
Version: 10.0.1-1A~4.2.0.201811071125
Branch: ucs_4.2-0
Scope: errata4.2-5

Package: univention-web
Version: 1.0.42-68A~4.2.0.201811071131
Branch: ucs_4.2-0
Scope: errata4.2-5

Bumped dojo version to 1.12.4
Added ca-certificates to build-deps of univention-dojo
Comment 2 Johannes Keiser univentionstaff 2018-11-22 09:58:53 CET 
OK: security fix was backported to dojo 1.12.4. Version updated to 1.12.4. Fixes are present
OK: No major changes since 1.12.1
OK: YAML
-> verified