Univention Bugzilla – Bug 47998
univention-web / dojox: Security vulnerabiliy (4.2)
Last modified: 2018-11-28 12:29:34 CET
All versions of univention-web since UCS-4.2 contain a vulnerable version of DojoX: CVE-2018-15494: In Dojo Toolkit before 1.14, there is unescaped string injection in dojox/Grid/DataGrid Debian fixed it for Jessie with <https://lists.debian.org/debian-lts-announce/2018/09/msg00002.html>, which is included in UCS-4.2-5, but univention-web contains its own unfixed version! +++ This bug was initially created as a clone of Bug #47997 +++
Package: univention-dojo Version: 10.0.1-1A~4.2.0.201811071125 Branch: ucs_4.2-0 Scope: errata4.2-5 Package: univention-web Version: 1.0.42-68A~4.2.0.201811071131 Branch: ucs_4.2-0 Scope: errata4.2-5 Bumped dojo version to 1.12.4 Added ca-certificates to build-deps of univention-dojo
OK: security fix was backported to dojo 1.12.4. Version updated to 1.12.4. Fixes are present OK: No major changes since 1.12.1 OK: YAML -> verified
<http://errata.software-univention.de/ucs/4.2/558.html> <http://errata.software-univention.de/ucs/4.2/559.html>