moderate: python-rtslib/ipa security update
An update for python-rtslib/ipa is now available for NewStart CGSL MAIN 5.04/CGSL CORE 5.04.
NewStart Security has rated this update as having a security impact of moderate. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
python-rtslib: API for generic Linux SCSI kernel target. Includes the 'target' service and targetctl tool for restoring configuration.
ipa: IPA integrated DNS server with support for automatic DNSSEC signing. Integrated DNS server is BIND 9. OpenDNSSEC provides key management.
python-rtslib: A flaw was found in Open-iSCSI rtslib-fb through versions 2.1.72, where it has weak permissions for /etc/target/saveconfig.json because the shutil.copyfile, instead of shutil.copy is used, and permissions are not preserved upon editing. This flaw allows an attacker with prior access to /etc/target/saveconfig.json to access a later version, resulting in a loss of integrity, depending on their permission settings. The highest threat from this vulnerability is to confidentiality.(CVE-2020-14019)
ipa: A flaw was found in IPA. When sending a very long password (>= 1,000,000 characters) to the server, the password hashing process could exhaust memory and CPU leading to a denial of service and the website becoming unresponsive. The highest threat from this vulnerability is to system availability.(CVE-2020-1722)
ipa: A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.(CVE-2019-11358)
ipa: In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.(CVE-2018-20676)
ipa: In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.(CVE-2016-10735)
ipa: In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.(CVE-2018-20677)
ipa: In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.(CVE-2018-14040)
ipa: In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.(CVE-2018-14042)
For details on how to apply this update, which includes the changes described in this advisory, refer to:
Remember the build tag is 5.04.F30B3.