Bug 26287

Summary: dojo new security issue CVE-2019-10785
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, geiger.david68210, herman.viaene, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: dojo-1.14.2-2.mga8.src.rpm CVE:
Status comment:

Description David Walser 2020-03-02 21:10:41 CET 
Debian-LTS has issued an advisory on February 29:
https://www.debian.org/lts/security/2020/dla-2127

The issue is fixed upstream in 1.14.5.

Mageia 7 is also affected.
David Walser 2020-03-02 21:11:08 CET

Status comment: (none) => Fixed upstream in 1.14.5
Whiteboard: (none) => MGA7TOO

Comment 1 David GEIGER 2020-03-03 16:24:29 CET 
Done dor both Cauldron and mga7!

CC: (none) => geiger.david68210

Comment 2 David Walser 2020-03-03 16:55:38 CET 
Advisory:
========================

Updated dojo package fixes security vulnerability:

dojox was vulnerable to Cross-site Scripting. This was due to
dojox.xmpp.util.xmlEncode only encoding the first occurrence of each character,
not all of them (CVE-2019-10785).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10785
https://www.debian.org/lts/security/2020/dla-2127
========================

Updated packages in core/updates_testing:
========================
dojo-1.14.5-1.mga7

from dojo-1.14.5-1.mga7.src.rpm

Whiteboard: MGA7TOO => (none)
Status comment: Fixed upstream in 1.14.5 => (none)
Version: Cauldron => 7
Assignee: bugsquad => qa-bugs

Comment 3 Herman Viaene 2020-03-04 15:57:20 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues.
According to the info in MCC, this is web-developer's stuff.
There are no previous updates on this. Googled a bit and found https://dojotoolkit.org/documentation/tutorials/1.10/hello_dojo/index.html
but that's still over my head.
Proposing to OKon clean install as we often do with Java tools, unless someone wants to have a go at the example above.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2020-03-04 16:39:16 CET 
Good enough for me, Herman. Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-03-06 15:37:04 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 5 Mageia Robot 2020-03-06 17:16:00 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0126.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED