Upgrade rdiffweb to 2.4.5 to vix vulnerabilities

ikus060 · Sep 16, 2022 · 7b5c7e6 · 7b5c7e6
1 parent b2d7e66
commit 7b5c7e6
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -69,7 +69,20 @@ The Minarca website is https://www.ikus-soft.com/en/minarca/.
 
 # Changelog
 
-## Next Release
+## 4.2.2 (2022-09-16)
+
+This releases include a security fix. If you are using an earlier version, you should upgrade to this release immediately.
+
+* Upgrade Rdiffweb to 2.4.5
+  * Mitigate CSRF on repository deletion and user deletion. [CVE-2022-3232](https://nvd.nist.gov/vuln/detail/CVE-2022-3232)
+  * Use `X-Real-IP` to identify client IP address to mitigate Brute-Force attack
+  * Mitigate CSRF in profile's SSH Keys [CVE-2022-3221](https://nvd.nist.gov/vuln/detail/CVE-2022-3221)
+  * Use 'Secure' Attribute with Sensitive Cookie in HTTPS Session. [CVE-2022-3174](https://nvd.nist.gov/vuln/detail/CVE-2022-3174)
+  * Avoid leakage of the stack trace in the default error page. [CVE-2022-3175](https://nvd.nist.gov/vuln/detail/CVE-2022-3175)
+  * Enforce minimum and maximum password length [CVE-2022-3175](https://nvd.nist.gov/vuln/detail/CVE-2022-3179)
+  * Add Clickjacking Defense [CVE-2022-3167](https://nvd.nist.gov/vuln/detail/CVE-2022-3167)
+
+## 4.2.1 (2022-07-15)
 
 * Add Ubuntu Jammy support
 * Add Debian Bookworm support

diff --git a/minarca-server/minarca_server/plugins/tests/test_minarca.py b/minarca-server/minarca_server/plugins/tests/test_minarca.py
@@ -50,7 +50,7 @@ def test_add_user_without_user_root(self):
         # Given a minarca base dir
         self.assertIsNotNone(self.app.cfg.minarca_user_base_dir)
         # When adding a new user without specific user_root
-        self._add_user("mtest1", None, "mtest1", None, False)
+        self._add_user("mtest1", None, "password", None, False)
         self.assertInBody("User added successfully.")
         # Then user root directory is defined within the base dir
         user = self.app.store.get_user('mtest1')
@@ -60,7 +60,7 @@ def test_add_user_with_user_root(self):
         # Given a minarca base dir
         self.assertIsNotNone(self.app.cfg.minarca_user_base_dir)
         # When adding a new user with a specific user_root
-        self._add_user("mtest2", None, "mtest2", "/home/mtest2", False)
+        self._add_user("mtest2", None, "password", "/home/mtest2", False)
         self.assertInBody("User added successfully.")
         # Then user root is updated to be within the base dir
         user = self.app.store.get_user('mtest2')

diff --git a/minarca-server/setup.py b/minarca-server/setup.py
@@ -27,7 +27,7 @@
         "setuptools_scm>=5.0.1",
     ],
     install_requires=[
-        "rdiffweb==2.4.0",
+        "rdiffweb==2.4.5",
         "cherrypy>=18.0.0",
         "requests",
         "tzlocal~=2.0",