Univention Bugzilla – Bug 47997
univention-web / dojox: Security vulnerabiliy (4.3)
Last modified: 2018-12-05 14:39:22 CET
All versions of univention-web since UCS-4.2 contain a vulnerable version of DojoX: CVE-2018-15494: In Dojo Toolkit before 1.14, there is unescaped string injection in dojox/Grid/DataGrid Debian fixed it for Jessie with <https://lists.debian.org/debian-lts-announce/2018/09/msg00002.html>, which is included in UCS-4.2-5, but univention-web contains its own unfixed version!
GitHub shows this unfixed security issue very proudly one the start-page of UCS: <https://github.com/univention/univention-corporate-server> AFAIK only for us internally, but still does look very bad.
I could not determine any side effects when changing the version in package.json either. I read the git logs from version 1.12.2 to 1.12.4 and could not find any changed features, only bugfixes and some additional features in dojo mobile. I bumped the version of the dojo release used in univention-dojo from 1.12.2 to 1.12.4 and tested the UMC. I did not find any deviation from normal behavior. After I put the 1.12.4 release on our large build file mirror I apply the changes and prepare a new build for QA.
Created attachment 9719 [details] patch
Package: univention-dojo Version: 11.0.1-2A~4.3.0.201811070904 Branch: ucs_4.3-0 Scope: errata4.3-2 Package: univention-web Version: 2.0.0-27A~4.3.0.201811061018 Branch: ucs_4.3-0 Scope: errata4.3-2 I had to disable the ssl certificate check for wget in the Makefile of univention-dojo for the build to work. Since there is also a checksum check it should be fine, but if someone knows of a way we can get the certificate of updates.univention.de into our build env I would be happy to do so.
(In reply to Ole Schwiegert from comment #4) > I had to disable the ssl certificate check for wget in the Makefile of > univention-dojo for the build to work. Since there is also a checksum check > it should be fine, but if someone knows of a way we can get the certificate > of updates.univention.de into our build env I would be happy to do so. $ curl -v -I https://updates.software-univention.de/download/large-build-files/dojo/dojo-release-1.12.4-src.tar.gz ... * issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Organization Validation Secure Server CA $ cat management/univention-web/debian/control ... Build-Depends: debhelper (>= 7.0.50~), ucslint-univention, univention-dojo, univention-dojo-dev, univention-config-dev, univention-management-console-dev, imagemagick, nodejs, librsvg2-bin, stylus, unzip, sed - sed can be removed as it is "Essential: yes" - wget should added as it is not build-essential - ca-certificates is missing: "wget Recommends: ca-certificates" only and Recommends are not installed to satisfy Build-Depends.
Thanks for the help! Package: univention-dojo Version: 11.0.1-3A~4.3.0.201811071111 Branch: ucs_4.3-0 Scope: errata4.3-2 Added ca-certificates to build deps in univention-dojo and removed --no-check-certificate from Makefile again
(In reply to Ole Schwiegert from comment #2) > I could not determine any side effects when changing the version in > package.json either. > > I read the git logs from version 1.12.2 to 1.12.4 and could not find any > changed features, only bugfixes and some additional features in dojo mobile. > > I bumped the version of the dojo release used in univention-dojo from 1.12.2 > to 1.12.4 and tested the UMC. I did not find any deviation from normal > behavior. > > After I put the 1.12.4 release on our large build file mirror I apply the > changes and prepare a new build for QA. Hi Ole, why did you update to 1.12.4 while the vulnerability is in <1.14? I think it should be upgraded to 1.14.1.
The commit that fixes the vulnerability in question was backported to the 1.12 branch of dojo in my understanding: https://github.com/dojo/dojox/commit/6a402f7fb65bbb4655be1738249aa4ec799fb50d To introduce as little change as possible and keep the QA effort for this manageable we decided not to switch to a new major version for now. Are there any significant reasons to switch all the way to dojo 1.14 at the moment?
The upgraded univention-dojo version is not in univention-web because univention-web was built after univention-dojo was built. Please make a version bump for univention-web
Package: univention-web Version: 2.0.0-28A~4.3.0.201811221119 Branch: ucs_4.3-0 Scope: errata4.3-2 Version bump
OK: security fix was backported to dojo 1.12.4. Version updated to 1.12.4. Fixes are present OK: No major changes since 1.12.1 OK: YAML -> verified
<http://errata.software-univention.de/ucs/4.3/347.html> <http://errata.software-univention.de/ucs/4.3/348.html>