[Wapt] Wapt 1.3.13 security fix

wapt-owner wapt-owner at lists.tranquil.it
Tue Jul 25 20:52:07 CEST 2017 

Hi everyone,

French version below,

A new build of the Wapt 1.3 branch is available at 
https://wapt.tranquil.it/wapt/releases/wapt-1.3.13/ . It includes a 
security fix, two bug fixes and two compatibility fixes for upcoming 
upgrades to Wapt 1.5 serie (release date yet to be announced). You'll 
find more detailed information in the changelog below.

To upgrade : 
https://www.wapt.fr/en/doc/Installation/waptserver_update/index.html

The Tranquil IT Systems Team.

=======

Bonjour à tous,

Une nouvelle version de la branche Wapt 1.3 est disponible à l'adresse 
https://wapt.tranquil.it/wapt/releases/wapt-1.3.13/<https://wapt.tranquil.it/wapt/releases/latest/> 
. Cette version inclus un correctif de sécurité, deux correctifs de 
fonctionnalité et deux améliorations de compatibilité pour préparer la 
mise à jour vers la prochaine version Wapt 1.5 (date de disponibilité 
pas encore annoncée). Vous trouverez des informations plus détaillés 
dans le changelog ci-après.

Pour la mise à jour : 
https://www.wapt.fr/fr/doc/Installation/waptserver_update/index.html

L'équipe Tranquil IT Systems.

=======


  Changelog


    Security fix:

  * regression : Package files content check was skipped if signature of
    manifest and Packages index file checksum was ok. This regression
    affects all 1.3.12 releases, but _not _Wapt <= 1.3.9 and >= upcoming
    1.5. In order to exploit this bug, one would need to tamper the
    Packages files either throught a MITM (if you don't have valid https
    certificate check) or a root access on the wapt server.


    Other changes

  * Compatibility with packages signed with upcoming Wapt 1.5
      o With WAPT 1.5, package are signed with sha256 hashes. An option
        allows to sign them with sha1 too so that they can be used with
        Wapt 1.3 without signing them again.
  * New package certificate for Tranquil IT packages
      o previous certificate for package on store.wapt.fr has expired.
      o all packages on store.wapt.fr has been signed again with new
        key/certificate with both sha1 and sha256 hashes, and Wapt 1.5
        signature style (control data is signed as well as files)
  * Fix for local GPO add_shutdown_script() function (thanks jf-guillou !)
  * Fix for waptsetup.exe postinstall actions (update/register) when
    running waptsetup.exe installer without elevated priviledges : added
    runascurrentuser flag
  * Remove needless python libraries to make install package slimmer


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.tranquil.it/pipermail/wapt/attachments/20170725/bf02572b/attachment.html>

More information about the WAPT mailing list