[CKAN-Security] Vulnerabilities due to outdated sofware.

Gil Hilário gil at civity.nl
Thu Sep 28 15:22:33 UTC 2017 

Hi,
I'm contacting you to speak about some vulnerabilities that are related with outdated software in some CKAN dependencies (this was mainly identified on the version 2.6.2 but I think most things are still relevant):

  *   The pylons<https://github.com/ckan/ckan/blob/master/requirements.txt#L36> web framework used by CKAN is outdated and vulnerable to cookie timing attacks and XSS via the "Post Traceback". Issue that is solved<https://github.com/Pylons/pylons/blob/master/CHANGELOG#L9> on the most recent version.

I know that you are currently busy with the migration to Flask<https://github.com/ckan/ckan/wiki/Migration-from-Pylons-to-Flask>, do you have any estimate time for the conclusion of that migration? are any known issues in upgrading the pylons version to the most recent<https://github.com/Pylons/pylons/releases/tag/v1.0.2>?



  *   The html5lib<https://github.com/ckan/ckan/blob/master/requirements.txt#L18> included in the requirements.txt (via bleach) is also outdated and vulnerable to a XSS attack.  Bleach version being used is 1.5<https://github.com/ckan/ckan/blob/master/requirements.txt#L10> but there is already a 2.0 version<https://github.com/mozilla/bleach/releases/tag/v2.0> that mentions that it "no longer supports html5lib < 0.99999999".





  *   The library moment.js version 2.10.3 has known security issues<https://github.com/moment/moment/issues/2936>. Which is fixed<https://github.com/moment/moment/blob/develop/CHANGELOG.md#2112-fix-redos-attack-vector> in the more recent versions.



  *   The Javascript file 'bootstrap.js' includes a vulnerable<https://github.com/janl/mustache.js/pull/530> version of the library 'mustache.js' (v0.5.0-dev)<https://github.com/ckan/ckan/blob/ef893419a5ff994ce5000c07aec4bbc0ec5b920a/ckanext/reclineview/theme/public/resource.config#L19>. I'm also aware that CKAN core will switch to use Bootstrap 3, so this might be solve with that...?



  *   The Angular installation v1.4.4, from 2015-08-13, is vulnerable to conditions that may lead to XSS. (more info<https://github.com/angular/angular.js/blob/master/CHANGELOG.md>)



  *   There are multiple outdated JQuery components (v1.10.2 and v1.7.1) that are vulnerable to XSS while dealing with certain user input. For more information: http://research.insecurelabs.org/jquery/test/. Vulnerable components:
      vendor/jquery/1.7.1/jquery.min.js;

      vendor/underscore/1.4.4/underscore.js;

      vendor/backbone/1.0.0/backbone.js;

       vendor/mustache/0.5.0-dev/mustache.min.js;

      vendor/bootstrap/3.2.0/js/bootstrap.js

Thanks for all the great work at the CKAN project. Hope this helps it a bit.
Best Regards,
Gil Hilário











[logo civity new]



T +31 (0)6 24 16 07 23 | E gil at civity.nl<mailto:gil at civity.nl>
Handelsweg 6-1 | 3707 NH Zeist
W www.civity.nl<http://www.civity.nl/>













Civity is onderdeel van de Onetrail groep (www.onetrail.com<http://www.onetrail.com/>)
Civity is initiatiefnemer van FIWARE LAB Nederland, de open innovatie omgeving voor smart cities www.fiware-lab.nl<http://www.fiware-lab.nl/>
[cid:image005.png at 01D0D9C8.8D3B3A60]<https://www.linkedin.com/company/3284795?trk=tyah&trkInfo=clickedVertical%3Acompany%2CclickedEntityId%3A3284795%2Cidx%3A2-3-4%2CtarId%3A1473335093147%2Ctas%3Acivity>[cid:image005.png at 01D20A7C.FC86C980]<https://twitter.com/intent/follow?original_referer=https://about.twitter.com/resources/buttons&region=follow_link&screen_name=CivityNL&tw_p=followbutton>



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20170928/133740ec/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 3186 bytes
Desc: image001.jpg
URL: <https://lists.okfn.org/mailman/private/security/attachments/20170928/133740ec/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 1828 bytes
Desc: image002.png
URL: <https://lists.okfn.org/mailman/private/security/attachments/20170928/133740ec/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 1578 bytes
Desc: image003.png
URL: <https://lists.okfn.org/mailman/private/security/attachments/20170928/133740ec/attachment-0001.png>

More information about the Security mailing list