pki-core:10.6 security, bug fix, and enhancement update

The Public Key Infrastructure (PKI) Core contains fundamental packages required
by Asianux Certificate System.

Security Fix(es):

* jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251)

* bootstrap: XSS in the data-target attribute (CVE-2016-10735)

* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute
(CVE-2018-14040)

* bootstrap: Cross-site Scripting (XSS) in the data-container property of
tooltip (CVE-2018-14042)

* bootstrap: XSS in the tooltip or popover data-template attribute
(CVE-2019-8331)

* jquery: Prototype pollution in object's prototype leading to denial of
service, remote code execution, or property injection (CVE-2019-11358)

* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
(CVE-2020-11022)

* jquery: Passing HTML containing elements to manipulation methods could
result in untrusted code execution (CVE-2020-11023)

* pki: Dogtag's python client does not validate certificates (CVE-2020-15720)

* pki-core: Reflected XSS in 'path length' constraint field in CA's Agent page
(CVE-2019-10146)

* pki-core/pki-kra: Reflected XSS in recoveryID search field at KRA's DRM
agent page in authorize recovery tab (CVE-2019-10179)

* pki-core: Reflected XSS in getcookies?url= endpoint in CA (CVE-2019-10221)

* pki-core: KRA vulnerable to reflected XSS via the getPk12 page
(CVE-2020-1721)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

CVE-2015-9251
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a
cross-domain Ajax request is performed without the dataType option, causing
text/javascript responses to be executed.
CVE-2016-10735
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible
in the data-target attribute, a different vulnerability than CVE-2018-14041.
CVE-2018-14040
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent
attribute.
CVE-2018-14042
In Bootstrap before 4.1.2, XSS is possible in the data-container property of
tooltip.
CVE-2019-10146
A Reflected Cross Site Scripting flaw was found in all pki-core 10.x.x versions
module from the pki-core server due to the CA Agent Service not properly
sanitizing the certificate request page. An attacker could inject a specially
crafted value that will be executed on the victim's browser.
CVE-2019-10179
A vulnerability was found in all pki-core 10.x.x versions, where the Key
Recovery Authority (KRA) Agent Service did not properly sanitize recovery
request search page, enabling a Reflected Cross Site Scripting (XSS)
vulnerability. An attacker could trick an authenticated victim into executing
specially crafted Javascript code.
CVE-2019-10221
A Reflected Cross Site Scripting vulnerability was found in all pki-core 10.x.x
versions, where the pki-ca module from the pki-core server. This flaw is caused
by missing sanitization of the GET URL parameters. An attacker could abuse this
flaw to trick an authenticated user into clicking a specially crafted link which
can execute arbitrary code when viewed in a browser.
CVE-2019-11358
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products,
mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution.
If an unsanitized source object contained an enumerable __proto__ property, it
could extend the native Object.prototype.
CVE-2019-8331
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip
or popover data-template attribute.
CVE-2020-11022
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML
from untrusted sources - even after sanitizing it - to one of jQuery's DOM
manipulation methods (i.e. .html(), .append(), and others) may execute untrusted
code. This problem is patched in jQuery 3.5.0.
CVE-2020-11023
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML
containing elements from untrusted sources - even after sanitizing it -
to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and
others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CVE-2020-15720
In Dogtag PKI through 10.8.3, the pki.client.PKIConnection class did not enable
python-requests certificate validation. Since the verify parameter was
hard-coded in all request functions, it was not possible to override the
setting. As a result, tools making use of this class, such as the pki-server
command, may have been vulnerable to Person-in-the-Middle attacks in certain
non-localhost use cases. This is fixed in 10.9.0-b1.
CVE-2020-1721
** RESERVED ** This candidate has been reserved by an organization or individual
that will use it when announcing a new security problem. When the candidate has
been publicized, the details for this candidate will be provided.

Modularity name: pki-core
Stream name: 10.6