[CKAN-Security] Vulnerabilities due to outdated sofware.

Adrià Mercader adria.mercader at okfn.org
Mon Oct 2 13:09:54 UTC 2017 

Hi Gil,

Thank you very much for the report. We will discuss the best approach and
come back to you.

Best regards,

Adrià

On 28 September 2017 at 16:22, Gil Hilário <gil at civity.nl> wrote:

> Hi,
>
> I’m contacting you to speak about some vulnerabilities that are related
> with outdated software in some CKAN dependencies (this was mainly
> identified on the version 2.6.2 but I think most things are still relevant):
>
>    - The pylons
>    <https://github.com/ckan/ckan/blob/master/requirements.txt#L36> web
>    framework used by CKAN is outdated and vulnerable to cookie timing attacks
>    and XSS via the "Post Traceback". Issue that is solved
>    <https://github.com/Pylons/pylons/blob/master/CHANGELOG#L9> on the
>    most recent version.
>
> I know that you are currently busy with the migration to Flask
> <https://github.com/ckan/ckan/wiki/Migration-from-Pylons-to-Flask>, do
> you have any estimate time for the conclusion of that migration? are any
> known issues in upgrading the pylons version to the most recent
> <https://github.com/Pylons/pylons/releases/tag/v1.0.2>?
>
>
>
>    - The html5lib
>    <https://github.com/ckan/ckan/blob/master/requirements.txt#L18>
>    included in the requirements.txt (via bleach) is also outdated and
>    vulnerable to a XSS attack.  Bleach version being used is 1.5
>    <https://github.com/ckan/ckan/blob/master/requirements.txt#L10> but
>    there is already a 2.0 version
>    <https://github.com/mozilla/bleach/releases/tag/v2.0> that mentions
>    that it “no longer supports html5lib < 0.99999999”.
>
>
>
>
>
>    - The library moment.js version 2.10.3 has known security issues
>    <https://github.com/moment/moment/issues/2936>. Which is fixed
>    <https://github.com/moment/moment/blob/develop/CHANGELOG.md#2112-fix-redos-attack-vector>
>    in the more recent versions.
>
>
>
>    - The Javascript file 'bootstrap.js' includes a vulnerable
>    <https://github.com/janl/mustache.js/pull/530> version of the library 'mustache.js'
>    (v0.5.0-dev)
>    <https://github.com/ckan/ckan/blob/ef893419a5ff994ce5000c07aec4bbc0ec5b920a/ckanext/reclineview/theme/public/resource.config#L19>.
>    I’m also aware that CKAN core will switch to use Bootstrap 3, so this might
>    be solve with that…?
>
>
>
>    - The Angular installation v1.4.4, from 2015-08-13, is vulnerable to
>    conditions that may lead to XSS. (more info
>    <https://github.com/angular/angular.js/blob/master/CHANGELOG.md>)
>
>
>
>    - There are multiple outdated JQuery components (v1.10.2 and v1.7.1)
>    that are vulnerable to XSS while dealing with certain user input. For more
>    information: http://research.insecurelabs.org/jquery/test/. Vulnerable
>    components:
>          vendor/jquery/1.7.1/jquery.min.js;
>
>       vendor/underscore/1.4.4/underscore.js;
>
>       vendor/backbone/1.0.0/backbone.js;
>
>        vendor/mustache/0.5.0-dev/mustache.min.js;
>
>       vendor/bootstrap/3.2.0/js/bootstrap.js
>
>
>
> Thanks for all the great work at the CKAN project. Hope this helps it a
> bit.
>
> Best Regards,
>
> Gil Hilário
>
>
>
>
>
>
>
>
>
>
>
> [image: logo civity new]
>
>
>
> *T* +31 (0)6 24 16 07 23 | *E* gil at civity.nl
> Handelsweg 6-1 | 3707 NH Zeist
> *W* www.civity.nl
>
>
>
>
>
>
>
>
>
>
>
>
>
> *Civity is onderdeel van de Onetrail groep (www.onetrail.com
> <http://www.onetrail.com/>)*
>
> *Civity is initiatiefnemer van FIWARE LAB Nederland, de open innovatie
> omgeving voor smart cities **www.fiware-lab.nl*
> <http://www.fiware-lab.nl/>
>
> [image: cid:image005.png at 01D0D9C8.8D3B3A60]
> <https://www.linkedin.com/company/3284795?trk=tyah&trkInfo=clickedVertical%3Acompany%2CclickedEntityId%3A3284795%2Cidx%3A2-3-4%2CtarId%3A1473335093147%2Ctas%3Acivity>*[image:
> cid:image005.png at 01D20A7C.FC86C980]*
> <https://twitter.com/intent/follow?original_referer=https://about.twitter.com/resources/buttons&region=follow_link&screen_name=CivityNL&tw_p=followbutton>
>
>
>
>
>
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>
> Repo: https://github.com/ckan/ckan-security
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20171002/523136bc/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 1828 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20171002/523136bc/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 3186 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20171002/523136bc/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 1578 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20171002/523136bc/attachment-0003.png>

More information about the Security mailing list