Security release for WAPT 1.8.2 and WAPT 2.0

Find official announcements related to WAPT here.
Locked
User avatar
dcardon
WAPT Expert
Messages: 1929
Registration: June 18, 2014 - 09:58
Location: Saint Sébastien sur Loire
Contact :
Contact dcardon

October 7, 2021 - 9:04 PM

Hello,

A security release for Wapt 2.0 Enterprise and Wapt 1.8.2 Enterprise and Community Editions has just been published. The changelog and CVSS scores are available below. WAPT 2.1 is not affected. For the update, please follow the documentation at .

. https://www.wapt.fr/en/doc

Best regards,

Denis.

Changelog 2.0.0.9470
====================

This is a security releaseAll Wapt 2.0 version below 2.0.0.9470 are affected

* [SEC] fix for vuln in urllib3 CVE-2021-33503 (CVSS Score: 7.5 High, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

* [SEC] Sanitize filename used when downloading files on customer local. (CVSS Score: 7.5 High, CVSS;3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C)
Enforced on wget and local filenames for downloaded packages (chars '\\' '..' @ | ( ) : / , \ [ ] < > * ? ; ` \n are removed or replaced)

* [UPD] Wapt.remove: reraise exception if there is exception in uninstall script
return traceback in 'errors' key
return code 3 if there are errors when removing packages in wapt-get remove

* [FIX] handles wildcards in certificates in waptconsole config and create waptsetup
update UI in external repositories config when setting CA bundle

* [FIX] use PackageEntry.localpath only for local status of a package.

* [UPD] split PackageEntry non_control_attributes into repo_attributes and local_attributes
local_attributes are not put into Packages index as they are not relevant for remote access.

* [UPD] update python modules requirements following urllib3 upgrade
idna==3.2 (from 2.10)
certifi==2021.5.30 (from 2020.12.5)
requests==2.26.0 (from 2.25)
urllib3==1.26.6 (from 1.26.5)

Changelog 1.8.2.7388
====================

This is a security release. All Wapt 1.8 version belos 1.8.2.7388

Security changelog wapt-1.8.2.7388*

* [SEC] fix for vuln in urllib3 CVE-2021-33503 (CVSS Score: 7.5 High, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

* [SEC] Sanitize filename used when downloading files on local client. (CVSS Score: 7.5 High, CVSS;3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C)
Enforced on wget and local filenames for downloaded packages (chars '\\' '..' @ | ( ) : / , \ [ ] < > * ? ; ` \n are removed or replaced)

* [FIX] Waptconsole config: When retrieving server side https certificate don't write UTF16 string for in waptconfig. Remove wildcards from CN of certificate to compose cert filename.

* [UPD] update python modules requirements following urllib3 upgrade
certifi==2021.5.30
chardet==3.0.2
idna==2.8
requests==2.21.0
urllib3==1.24.3
Denis Cardon - Tranquil IT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
High
Locked

Return to "Official Announcements"


  • To go further with WAPT