[Wapt] Wapt 1.3.13 security fix
wapt-owner
wapt-owner at lists.tranquil.it
Tue Jul 25 20:52:07 CEST 2017
Hi everyone,
French version below,
A new build of the Wapt 1.3 branch is available at
https://wapt.tranquil.it/wapt/releases/wapt-1.3.13/ . It includes a
security fix, two bug fixes and two compatibility fixes for upcoming
upgrades to Wapt 1.5 serie (release date yet to be announced). You'll
find more detailed information in the changelog below.
To upgrade :
https://www.wapt.fr/en/doc/Installation/waptserver_update/index.html
The Tranquil IT Systems Team.
=======
Bonjour à tous,
Une nouvelle version de la branche Wapt 1.3 est disponible à l'adresse
https://wapt.tranquil.it/wapt/releases/wapt-1.3.13/<https://wapt.tranquil.it/wapt/releases/latest/>
. Cette version inclus un correctif de sécurité, deux correctifs de
fonctionnalité et deux améliorations de compatibilité pour préparer la
mise à jour vers la prochaine version Wapt 1.5 (date de disponibilité
pas encore annoncée). Vous trouverez des informations plus détaillés
dans le changelog ci-après.
Pour la mise à jour :
https://www.wapt.fr/fr/doc/Installation/waptserver_update/index.html
L'équipe Tranquil IT Systems.
=======
Changelog
Security fix:
* regression : Package files content check was skipped if signature of
manifest and Packages index file checksum was ok. This regression
affects all 1.3.12 releases, but _not _Wapt <= 1.3.9 and >= upcoming
1.5. In order to exploit this bug, one would need to tamper the
Packages files either throught a MITM (if you don't have valid https
certificate check) or a root access on the wapt server.
Other changes
* Compatibility with packages signed with upcoming Wapt 1.5
o With WAPT 1.5, package are signed with sha256 hashes. An option
allows to sign them with sha1 too so that they can be used with
Wapt 1.3 without signing them again.
* New package certificate for Tranquil IT packages
o previous certificate for package on store.wapt.fr has expired.
o all packages on store.wapt.fr has been signed again with new
key/certificate with both sha1 and sha256 hashes, and Wapt 1.5
signature style (control data is signed as well as files)
* Fix for local GPO add_shutdown_script() function (thanks jf-guillou !)
* Fix for waptsetup.exe postinstall actions (update/register) when
running waptsetup.exe installer without elevated priviledges : added
runascurrentuser flag
* Remove needless python libraries to make install package slimmer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.tranquil.it/pipermail/wapt/attachments/20170725/bf02572b/attachment.html>
More information about the WAPT
mailing list