Release de sécurity pour WAPT 1.8.2 et WAPT 2.0 / Security release for WAPT 1.8.2 and WAPT 2.0

Retrouvez ici les annonces officielles relatives à WAPT.
Avatar de l’utilisateur
dcardon
Expert WAPT
Messages : 680
Inscription : 18 juin 2014 - 09:58
Localisation : Nantes
Contact :

07 oct. 2021 - 21:04

Bonjour / Hello,

Une release de sécurité pour Wapt 2.0 Entreprise et Wapt 1.8.2 Entreprise et Community vient d'être mise en ligne. Le changelog est disponible ci-dessous ainsi que les scores CVSS. WAPT 2.1 n'est pas impacté. Pour la mise à jour merci de suivre la documentation sur https://www.wapt.fr/fr/doc

A security release for Wapt 2.0 Enterprise Edition and Wapt 1.8.2 Enterprise and Community Edition has been published. The changelog and CVSS scrore are listed below. WAPT 2.1 is not impacted. Please see the upgrade documentation on https://www.wapt.fr/en/doc

Cordialement / Best regards,

Denis

Changelog 2.0.0.9470
====================

This is a security release. All Wapt 2.0 version below 2.0.0.9470 are affected

* [SEC] fix for vuln in urllib3 CVE-2021-33503 (CVSS Score : 7.5 High, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

* [SEC] Sanitize filename used when downloading files on local client. (CVSS Score : 7.5 High, CVSS;3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C)
Enforced on wget and local filenames for downloaded packages (chars '\\' '..' @ | ( ) : / , \ [ ] < > * ? ; ` \n are removed or replaced)

* [UPD] Wapt.remove : reraise exception if there is exception in uninstall script
return traceback in 'errors' key
return code 3 if there are errors when removing packages in wapt-get remove

* [FIX] handles wildcards in certificates in waptconsole config and create waptsetup
update UI in external repositories config when setting CA bundle

* [FIX] use PackageEntry.localpath only for local status of a package.

* [UPD] split PackageEntry non_control_attributes into repo_attributes and local_attributes
local_attributes are not put into Packages index as they are not relevant for remote access.

* [UPD] update python modules requirements following urllib3 upgrade
idna==3.2 (from 2.10)
certifi==2021.5.30 (from 2020.12.5)
requests==2.26.0 (from 2.25)
urllib3==1.26.6 (from 1.26.5)

Changelog 1.8.2.7388
====================

This is a security release. All Wapt 1.8 version belos 1.8.2.7388

Security changelog wapt-1.8.2.7388*

* [SEC] fix for vuln in urllib3 CVE-2021-33503 (CVSS Score : 7.5 High, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

* [SEC] Sanitize filename used when downloading files on local client. (CVSS Score : 7.5 High, CVSS;3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C)
Enforced on wget and local filenames for downloaded packages (chars '\\' '..' @ | ( ) : / , \ [ ] < > * ? ; ` \n are removed or replaced)

* [FIX] Waptconsole config : When retrieving server side https certificate don't write UTF16 string for in waptconfig. Remove wildcards from CN of certificate to compose cert filename.

* [UPD] update python modules requirements following urllib3 upgrade
certifi==2021.5.30
chardet==3.0.2
idna==2.8
requests==2.21.0
urllib3==1.24.3
Denis Cardon - Tranquil IT
Communiquez autour de vous sur WAPT! Envoyez nous vos url de blog et d'articles dans la catégorie votre avis du forum, nous les mettrons en avant sur le site WAPT
Verrouillé