The Tranquil IT Systems Team.

=======

Bonjour à tous,

Une nouvelle version de la branche Wapt 1.3 est disponible à l'adresse https://wapt.tranquil.it/wapt/releases/wapt-1.3.13/ . Cette version inclus un correctif de sécurité, deux correctifs de fonctionnalité et deux améliorations de compatibilité pour préparer la mise à jour vers la prochaine version Wapt 1.5 (date de disponibilité pas encore annoncée). Vous trouverez des informations plus détaillés dans le changelog ci-après.

Pour la mise à jour : https://www.wapt.fr/fr/doc/Installation/waptserver_update/index.html

L'équipe Tranquil IT Systems.

=======

Changelog

Security fix:

• regression : Package files content check was skipped if signature of manifest and Packages index file checksum was ok. This regression affects all 1.3.12 releases, but not Wapt <= 1.3.9 and >= upcoming 1.5. In order to exploit this bug, one would need to tamper the Packages files either throught a MITM (if you don't have valid https certificate check) or a root access on the wapt server.
  

Other changes

• Compatibility with packages signed with upcoming Wapt 1.5
  
• With WAPT 1.5, package are signed with sha256 hashes. An option allows to sign them with sha1 too so that they can be used with Wapt 1.3 without signing them again.
• New package certificate for Tranquil IT packages
  
• previous certificate for package on store.wapt.fr has expired.
• all packages on store.wapt.fr has been signed again with new key/certificate with both sha1 and sha256 hashes, and Wapt 1.5 signature style (control data is signed as well as files)
• Fix for local GPO add_shutdown_script() function (thanks jf-guillou !)
• Fix for waptsetup.exe postinstall actions (update/register) when running waptsetup.exe installer without elevated priviledges : added runascurrentuser flag
• Remove needless python libraries to make install package slimmer