[Wapt] Release de sécurité pour WAPT 1.8.2 et WAPT 2.0 / Security release for WAPT 1.8.2 and WAPT 2.0

[Denis CARDON]

Bonjour / Hello,

Une release de sécurité pour Wapt 2.0 Entreprise et Wapt 1.8.2 
Entreprise et Community vient d'être mise en ligne. Le changelog est 
disponible ci-dessous ainsi que les scores CVSS. WAPT 2.1 n'est pas 
impacté. Pour la mise à jour merci de suivre la documentation sur 
https://www.wapt.fr/fr/doc

A security release for Wapt 2.0 Enterprise Edition and Wapt 1.8.2 
Enterprise and Community Edition has been published. The changelog and 
CVSS scrore are listed below. WAPT 2.1 is not impacted. Please see the 
upgrade documentation on https://www.wapt.fr/en/doc

Cordialement / Best regards,

Denis



Changelog WAPT 2.0.0.9470
=========================

This is a security release.  All Wapt 2.0 version below 2.0.0.9467 are 
affected

* [SEC] fix for vuln in urllib3 CVE-2021-33503 (CVSS Score : 7.5 High, 
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

* [SEC] Sanitize filename used when downloading files on local client. 
(CVSS Score : 7.5 High, 
CVSS;3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C)
   Enforced on wget and local filenames for downloaded packages  (chars 
'\\' '..' @ | ( ) : / , \ [ ] < > * ? ; ` \n are removed or replaced)

* [SEC] don’t use PackageEntry filename attribute to build target 
package filename as it is not signed.

* [UPD] Wapt.remove : reraise exception if there is exception in 
uninstall script
return traceback in 'errors' key
return code 3 if there are errors when removing packages in wapt-get remove

* [FIX] handles wildcards in certificates in waptconsole config and 
create waptsetup
   update UI in external repositories config when setting CA bundle

* [FIX] use PackageEntry.localpath only for local status of a package.

* [UPD] split PackageEntry non_control_attributes into repo_attributes 
and local_attributes
   local_attributes are not put into Packages index as they are not 
relevant for remote access.

* [UPD] update python modules requirements following urllib3 upgrade
   idna==3.2 (from 2.10)
   certifi==2021.5.30 (from 2020.12.5)
   requests==2.26.0 (from 2.25)
   urllib3==1.26.6 (from 1.26.5)

Changelog 1.8.2.7388
====================

This is a security release. All Wapt 1.8 version belos 1.8.2.7388

Security changelog wapt-1.8.2.7388*

* [SEC] fix for vuln in urllib3 CVE-2021-33503 (CVSS Score : 7.5 High, 
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

* [SEC] Sanitize filename used when downloading files on local client. 
(CVSS Score : 7.5 High, 
CVSS;3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C)
   Enforced on wget and local filenames for downloaded packages  (chars 
'\\' '..' @ | ( ) : / , \ [ ] < > * ? ; ` \n are removed or replaced)

* [SEC] don't use PackageEntry filename attribute to build target 
package filename as it is not signed.

* [FIX] Waptconsole config : When retrieving server side https 
certificate don't write UTF16 string for in waptconfig. Remove wildcards 
from CN of certificate to compose cert filename.

* [UPD] update python modules requirements following urllib3 upgrade
    certifi==2021.5.30
    chardet==3.0.2
    idna==2.8
    requests==2.21.0
    urllib3==1.24.3