[Wapt] Release de sécurité pour WAPT 1.8.2 et WAPT 2.0 / Security release for WAPT 1.8.2 and WAPT 2.0
Denis CARDON
dcardon at tranquil.it
Jeu 7 Oct 21:02:09 CEST 2021
Bonjour / Hello,
Une release de sécurité pour Wapt 2.0 Entreprise et Wapt 1.8.2
Entreprise et Community vient d'être mise en ligne. Le changelog est
disponible ci-dessous ainsi que les scores CVSS. WAPT 2.1 n'est pas
impacté. Pour la mise à jour merci de suivre la documentation sur
https://www.wapt.fr/fr/doc
A security release for Wapt 2.0 Enterprise Edition and Wapt 1.8.2
Enterprise and Community Edition has been published. The changelog and
CVSS scrore are listed below. WAPT 2.1 is not impacted. Please see the
upgrade documentation on https://www.wapt.fr/en/doc
Cordialement / Best regards,
Denis
Changelog WAPT 2.0.0.9470
=========================
This is a security release. All Wapt 2.0 version below 2.0.0.9467 are
affected
* [SEC] fix for vuln in urllib3 CVE-2021-33503 (CVSS Score : 7.5 High,
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
* [SEC] Sanitize filename used when downloading files on local client.
(CVSS Score : 7.5 High,
CVSS;3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C)
Enforced on wget and local filenames for downloaded packages (chars
'\\' '..' @ | ( ) : / , \ [ ] < > * ? ; ` \n are removed or replaced)
* [SEC] don’t use PackageEntry filename attribute to build target
package filename as it is not signed.
* [UPD] Wapt.remove : reraise exception if there is exception in
uninstall script
return traceback in 'errors' key
return code 3 if there are errors when removing packages in wapt-get remove
* [FIX] handles wildcards in certificates in waptconsole config and
create waptsetup
update UI in external repositories config when setting CA bundle
* [FIX] use PackageEntry.localpath only for local status of a package.
* [UPD] split PackageEntry non_control_attributes into repo_attributes
and local_attributes
local_attributes are not put into Packages index as they are not
relevant for remote access.
* [UPD] update python modules requirements following urllib3 upgrade
idna==3.2 (from 2.10)
certifi==2021.5.30 (from 2020.12.5)
requests==2.26.0 (from 2.25)
urllib3==1.26.6 (from 1.26.5)
Changelog 1.8.2.7388
====================
This is a security release. All Wapt 1.8 version belos 1.8.2.7388
Security changelog wapt-1.8.2.7388*
* [SEC] fix for vuln in urllib3 CVE-2021-33503 (CVSS Score : 7.5 High,
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
* [SEC] Sanitize filename used when downloading files on local client.
(CVSS Score : 7.5 High,
CVSS;3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C)
Enforced on wget and local filenames for downloaded packages (chars
'\\' '..' @ | ( ) : / , \ [ ] < > * ? ; ` \n are removed or replaced)
* [SEC] don't use PackageEntry filename attribute to build target
package filename as it is not signed.
* [FIX] Waptconsole config : When retrieving server side https
certificate don't write UTF16 string for in waptconfig. Remove wildcards
from CN of certificate to compose cert filename.
* [UPD] update python modules requirements following urllib3 upgrade
certifi==2021.5.30
chardet==3.0.2
idna==2.8
requests==2.21.0
urllib3==1.24.3
Plus d'informations sur la liste de diffusion WAPT