idm:client security, bug fix, and enhancement update
エラータID: AXSA:2021-1594:01
リリース日:
2021/03/19 Friday - 09:56
題名:
idm:client security, bug fix, and enhancement update
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- jQuery には、クロスドメインにおける Ajax のリクエストが
dataType オプション無しで実行されるとき、
クロスサイトスクリプティングの脆弱性があります。(CVE-2015-9251)
- Bootstrap の data-target 属性 には、
クロスサイトスクリプティングの脆弱性があります。(CVE-2016-10735)
- Bootstrap の Collapse における data-parent 属性には、
クロスサイトスクリプティングの脆弱性があります。(CVE-2018-14040)
- Bootstrap の Tooltip における data-container プロパティーには、
クロスサイトスクリプティングの脆弱性があります。(CVE-2018-14042)
- Bootstrap の Tooltip における data-viewport 属性には、
クロスサイトスクリプティングの脆弱性があります。(CVE-2018-20676)
- Bootstrap の affix の設定におけるターゲットプロパティーには、
クロスサイトスクリプティングの脆弱性があります。(CVE-2018-20677)
- jQuery には、オブジェクトプロトタイプ汚染の問題があり、
jQuery.extend(true, {}, ...) を正しく扱わない脆弱性があります。(CVE-2019-11358)
- Bootstrap の Tooltip あるいは Popover における data-template 属性には、
クロスサイトスクリプティングの脆弱性があります。(CVE-2019-8331)
- jQuery には、たとえサニタイズされていたとしても、信頼されない
ソースからDOM Manipulation メソッド(.html() や .append() など)への
HTML を渡すことで、信頼されないコードを実行する可能性のある
脆弱性があります。(CVE-2020-11022)
- ipa には、 1,000,000 文字以上の長いパスワードをサーバーに
送付することで、パスワードのハッシュ化の際にメモリやCPUを大量に
消費してしまい、サービス拒否を引き起こし、ウェブサイトからの返答が
なくなってしまう脆弱性があります。(CVE-2020-1722)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2015-9251
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
CVE-2016-10735
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
CVE-2018-20677
In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.
In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.
CVE-2019-11358
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
CVE-2019-8331
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
CVE-2020-11022
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CVE-2020-1722
A flaw was found in all ipa versions 4.x.x through 4.8.0. When sending a very long password (>= 1,000,000 characters) to the server, the password hashing process could exhaust memory and CPU leading to a denial of service and the website becoming unresponsive. The highest threat from this vulnerability is to system availability.
A flaw was found in all ipa versions 4.x.x through 4.8.0. When sending a very long password (>= 1,000,000 characters) to the server, the password hashing process could exhaust memory and CPU leading to a denial of service and the website becoming unresponsive. The highest threat from this vulnerability is to system availability.
追加情報:
N/A
ダウンロード:
SRPMS
- bind-dyndb-ldap-11.3-1.module+el8+1226+5eaf1d53.src.rpm
MD5: 0de48d5e96fdf744c4016a7d7fd73beb
SHA-256: f6ac1c03872582c07cd47762fe7bff4fa03bed914a5f878cc7800f1c12214f9b
Size: 366.02 kB - custodia-0.6.0-3.module+el8+1226+5eaf1d53.src.rpm
MD5: a5a8da55d1bf4e015732898d7106b21d
SHA-256: b576c86e909dd2de4fddbed696250dab858e6772d7ae2125d840b5dfef9775af
Size: 144.69 kB - ipa-healthcheck-0.4-6.module+el8+1226+5eaf1d53.src.rpm
MD5: f16375b4fd8f1915b3e863d8ae438332
SHA-256: ccc7796bd0199a371310746f5f7624fae010343ed61b714c5531a37783cd0b27
Size: 91.88 kB - ipa-4.8.7-14.0.1.module+el8+1226+5eaf1d53.src.rpm
MD5: b9e63dbc9589395893935ac43b65fa3e
SHA-256: b047ba4b62a25878c8f78b9d244d9453f1ac76a15fb17112cae33b9615e8058d
Size: 12.32 MB - opendnssec-2.1.6-2.module+el8+1226+5eaf1d53.src.rpm
MD5: 1dc61bd71b2de4dcd64b5eb327619f23
SHA-256: 907f2c1d594ba88bb2a4392c56d0d05fd6357c27bc6b2a7a4f48d3865c2691f9
Size: 1.13 MB - python-jwcrypto-0.5.0-1.module+el8+1226+5eaf1d53.src.rpm
MD5: e7d01b73820660053d23f53c42ca9b5d
SHA-256: 1b8fd9ddf0a60c0092118b37e79d0a489a99bf82db571ca224d80f42033e6a2d
Size: 76.41 kB - python-qrcode-5.1-12.module+el8+1226+5eaf1d53.src.rpm
MD5: ec1dddc630ccaf4d8ce661c04d4c0c36
SHA-256: 06b8a1a30fd5a202c5b9cdc3a40e10a35fa2150a802de1862887079841278e2d
Size: 33.39 kB - python-yubico-1.3.2-9.module+el8+1226+5eaf1d53.src.rpm
MD5: bdfd716fb40e561fffb8fc993bba3c92
SHA-256: fd83a8d4c220a162a26a618cd32b29caedf06e890945c20e34994412038c388f
Size: 50.71 kB - pyusb-1.0.0-9.module+el8+1226+5eaf1d53.src.rpm
MD5: 7d613f5c4c065e03c643954f3022fff3
SHA-256: 640c4085c1572b4ee347a09a1b78d73e20e7e993452c1809ceaa8a63a575d165
Size: 78.83 kB - slapi-nis-0.56.5-4.module+el8+1226+5eaf1d53.src.rpm
MD5: c918f8457b19c385004a63496bd46bbb
SHA-256: a166d0a44bb233b723ea5df7479e06b005b5e2d7cd4447fc55c7f232adae47df
Size: 632.38 kB - softhsm-2.6.0-3.module+el8+1226+5eaf1d53.src.rpm
MD5: ddfd9ba99b3759b185da1f5c06916f2f
SHA-256: 3122ce2798434b2643a6fb0b298f4d5259947daa7837d619e6a569a1db035be0
Size: 1.03 MB
Asianux Server 8 for x86_64
- ipa-healthcheck-core-0.4-6.module+el8+1226+5eaf1d53.noarch.rpm
MD5: 04e4ba8cf50b228c883ba606fb35d284
SHA-256: 612b454df9537a0b97fb33d2080a29c07662c4be0ca0e82510a348c87123b457
Size: 47.96 kB - ipa-client-4.8.7-14.0.1.module+el8+1226+5eaf1d53.x86_64.rpm
MD5: c464e53348cea949035755ee2eed5c8e
SHA-256: 9d5b4889f380c1e7362fa728366c6509e6a06df6d199871cb80e71828e3c8878
Size: 271.39 kB - ipa-client-common-4.8.7-14.0.1.module+el8+1226+5eaf1d53.noarch.rpm
MD5: b1f3a0e09d4f2b3a50d0e0c423fd5ce3
SHA-256: 9f362607d4afc974f12dfcc9dda1f7579d3a30ac2a432120d7a4d64f0145f6ed
Size: 177.52 kB - ipa-client-epn-4.8.7-14.0.1.module+el8+1226+5eaf1d53.x86_64.rpm
MD5: b29b478571f3dc3934c4c2af2bd7b33a
SHA-256: d5219fbf39529b8a277e6556ef2d0b16661977eced2d446b3e03fea4aab43c83
Size: 175.70 kB - ipa-client-samba-4.8.7-14.0.1.module+el8+1226+5eaf1d53.x86_64.rpm
MD5: 09b68d4a5d85c603012fa3084c672c89
SHA-256: 45d506ce4a776bf55d5e764ce46242990b3c66e88e9e95245837a2477ab88a1f
Size: 172.34 kB - ipa-common-4.8.7-14.0.1.module+el8+1226+5eaf1d53.noarch.rpm
MD5: 2accf21fe0103285c4f15c446b5ae37e
SHA-256: c1499701e8fd73776f7841d563a4a3e54346bd0d27a64a3ba941b4eff85289fa
Size: 743.41 kB - ipa-debugsource-4.8.7-14.0.1.module+el8+1226+5eaf1d53.x86_64.rpm
MD5: 12918f83b63710f2abf53e9f437b18a5
SHA-256: d9e5922dcbaf519047f5be5d8155f6240a546b7ab36ce4fb209129b3bff55138
Size: 469.75 kB - ipa-python-compat-4.8.7-14.0.1.module+el8+1226+5eaf1d53.noarch.rpm
MD5: 4afdb1b2595a86319d4ca74c1ea95541
SHA-256: af578af525b0336c69ec0494bd276452f6d0551e85b1426b935190df7128187e
Size: 170.14 kB - ipa-selinux-4.8.7-14.0.1.module+el8+1226+5eaf1d53.noarch.rpm
MD5: 79e2111a84646a215877e07de5f936f2
SHA-256: 7f1061f1b8fbe133a378f95098d9334b723ee9a74955b8020f78263c23e60888
Size: 170.48 kB - python3-ipaclient-4.8.7-14.0.1.module+el8+1226+5eaf1d53.noarch.rpm
MD5: 7333b5698638b06b030bdc306b52bb24
SHA-256: 74fbe65452c8be5df7741f937773d0b22b7c869e9baef7d7060138ca43316b82
Size: 679.52 kB - python3-ipalib-4.8.7-14.0.1.module+el8+1226+5eaf1d53.noarch.rpm
MD5: b1ec7ccc09cea7c6c8ae06ac236ade37
SHA-256: 3d362eb4cb79c586054e7b0918570f0f9a4fd33a1bbc646801a3c28117b9e358
Size: 718.73 kB - ipa-client-4.8.7-14.0.1.module+el8+1226+5eaf1d53.x86_64.rpm
MD5: c464e53348cea949035755ee2eed5c8e
SHA-256: 9d5b4889f380c1e7362fa728366c6509e6a06df6d199871cb80e71828e3c8878
Size: 271.39 kB - ipa-client-common-4.8.7-14.0.1.module+el8+1226+5eaf1d53.noarch.rpm
MD5: b1f3a0e09d4f2b3a50d0e0c423fd5ce3
SHA-256: 9f362607d4afc974f12dfcc9dda1f7579d3a30ac2a432120d7a4d64f0145f6ed
Size: 177.52 kB - ipa-client-epn-4.8.7-14.0.1.module+el8+1226+5eaf1d53.x86_64.rpm
MD5: b29b478571f3dc3934c4c2af2bd7b33a
SHA-256: d5219fbf39529b8a277e6556ef2d0b16661977eced2d446b3e03fea4aab43c83
Size: 175.70 kB - ipa-client-samba-4.8.7-14.0.1.module+el8+1226+5eaf1d53.x86_64.rpm
MD5: 09b68d4a5d85c603012fa3084c672c89
SHA-256: 45d506ce4a776bf55d5e764ce46242990b3c66e88e9e95245837a2477ab88a1f
Size: 172.34 kB - ipa-common-4.8.7-14.0.1.module+el8+1226+5eaf1d53.noarch.rpm
MD5: 2accf21fe0103285c4f15c446b5ae37e
SHA-256: c1499701e8fd73776f7841d563a4a3e54346bd0d27a64a3ba941b4eff85289fa
Size: 743.41 kB - ipa-debugsource-4.8.7-14.0.1.module+el8+1226+5eaf1d53.x86_64.rpm
MD5: 12918f83b63710f2abf53e9f437b18a5
SHA-256: d9e5922dcbaf519047f5be5d8155f6240a546b7ab36ce4fb209129b3bff55138
Size: 469.75 kB - ipa-python-compat-4.8.7-14.0.1.module+el8+1226+5eaf1d53.noarch.rpm
MD5: 4afdb1b2595a86319d4ca74c1ea95541
SHA-256: af578af525b0336c69ec0494bd276452f6d0551e85b1426b935190df7128187e
Size: 170.14 kB - ipa-selinux-4.8.7-14.0.1.module+el8+1226+5eaf1d53.noarch.rpm
MD5: 79e2111a84646a215877e07de5f936f2
SHA-256: 7f1061f1b8fbe133a378f95098d9334b723ee9a74955b8020f78263c23e60888
Size: 170.48 kB - python3-ipaclient-4.8.7-14.0.1.module+el8+1226+5eaf1d53.noarch.rpm
MD5: 7333b5698638b06b030bdc306b52bb24
SHA-256: 74fbe65452c8be5df7741f937773d0b22b7c869e9baef7d7060138ca43316b82
Size: 679.52 kB - python3-ipalib-4.8.7-14.0.1.module+el8+1226+5eaf1d53.noarch.rpm
MD5: b1ec7ccc09cea7c6c8ae06ac236ade37
SHA-256: 3d362eb4cb79c586054e7b0918570f0f9a4fd33a1bbc646801a3c28117b9e358
Size: 718.73 kB - python3-jwcrypto-0.5.0-1.module+el8+1226+5eaf1d53.noarch.rpm
MD5: 5c71c8cab2e5065c01c7924aa6b92e70
SHA-256: aa8acc7da0d380b5eb63c1ec86b44fbe3bbb735421f211242b352e9e10800a5e
Size: 64.38 kB - python3-qrcode-5.1-12.module+el8+1226+5eaf1d53.noarch.rpm
MD5: 7ca604a9516b693ef34729820d78c8fa
SHA-256: 9f50e656a43e4fcb1129c524c62098fd5e7fbcde8d9d7897694c6dae1db4c82e
Size: 16.33 kB - python3-qrcode-core-5.1-12.module+el8+1226+5eaf1d53.noarch.rpm
MD5: bf7fafdde5c089b133d6071a7a844f13
SHA-256: 67800b2ca50f59d140a59d0af50c0b010dc509ff80d29b0d293e0841d04111e0
Size: 44.53 kB - python3-yubico-1.3.2-9.module+el8+1226+5eaf1d53.noarch.rpm
MD5: 8a63c12be58e67c93e62a6797b0b0942
SHA-256: 34c54719e369834ea3e0c5d520d84616eaf305323e3d01337e7f3cc63464e7a5
Size: 62.20 kB - python3-pyusb-1.0.0-9.module+el8+1226+5eaf1d53.noarch.rpm
MD5: 77f61d6591b93721cbbdcc83f0b7ceec
SHA-256: c6f89aab8ee5a80c4f7159b3c300f6827034e79e6926ca8d990e4ad793656adf
Size: 86.79 kB - python3-pyusb-1.0.0-9.module+el8+1226+5eaf1d53.noarch.rpm
MD5: 77f61d6591b93721cbbdcc83f0b7ceec
SHA-256: c6f89aab8ee5a80c4f7159b3c300f6827034e79e6926ca8d990e4ad793656adf
Size: 86.79 kB - python3-pyusb-1.0.0-9.module+el8+1226+5eaf1d53.noarch.rpm
MD5: 77f61d6591b93721cbbdcc83f0b7ceec
SHA-256: c6f89aab8ee5a80c4f7159b3c300f6827034e79e6926ca8d990e4ad793656adf
Size: 86.79 kB
English