Instructions for application of hotfix for the flexigrid vulnerability

The hotfix is available in our repositories for the following versions of LinOTP: 2.6.1 (2.6.1.2), 2.7.0 (2.7.0.3), 2.7.1 (2.7.1.3) and the current version 2.7.2 (2.7.2.2). You will get the fix automatically with the next system upgrade. If the update of the whole system is not an option in your environemnt you can install the packages containing only the fix for your version of LinOTP manually as described in install-via-package below. Alternatively you can apply the hotfix manually from the zip file provided - this should work for all versions of LinOTP as described in apply-via-zip.

Installing the hotfix manually from package

Download the package for your release of LinOTP (choose the correct package for the linux distribution LinOTP is operating on):

Installation

  1. Copy the file to your LinOTP system using SCP. In case you are using the LinOTP SVA and use Windows, we recommend the use of the command line tool PSCP as follows:
#> pscp linotp_VERSION.deb root@<linotpserver>:/root
  1. Open a login shell on your LinOTP Server. (In case of use of the SVA, execute "unsupported" to enter an unrestricted shell). And enter the directory containing the package.
root@linotpappliance:~# cd /root
(Note for SVA users: Please note that while we are requesting the use of "unsupported" to apply the hotfix, we fully support this particular procedure)
  1. List the content of the directory and install the package.
root@linotpappliance:~# ls
    linotp_2.7.2.2-1_all.deb

root@linotpappliance:~# dpkg -i linotp-VERSION.deb
  1. [SVA only] Exit "unsupported" mode using the command "exit".

LinOTP will serve the new file for all future requests. Please note that it is possible that the old version may be cached in the browser for some time. This will depend on the browser and configuration used.

Future LinOTP versions will include this fix, so it will not be necessary to apply this hotfix to any future updates.

Applying the hotfix manually from zip

The file to be replaced by the hotfix can be downloaded from our servers:

https://www.linotp.org/files/flexigrid.replace_2015-11-06.zip

The hotfix can be applied by copying the file contained in the archive onto the appliance. It is not necessary to restart any services or reboot the machine.

  1. Open the attached ZIP archive and copy the file "flexigrid.replace" it contains to your local system
  2. Copy the file "flexigrid.replace" using SCP to your LinOTP system. In case you are using the LinOTP SVA and use Windows, we recommend the use of the command line tool PSCP as follows:
#> pscp flexigrid.replace root@<linotpserver>:/root
  1. Open a login shell on your LinOTP Server. (In case of use of the SVA, execute "unsupported" to enter an unrestricted shell). Determine the location of the file as follows:
root@linotpappliance:~# find / -name "flexigrid.js" -type f
You should see output similar to this:
/usr/share/pyshared/linotp/public/js/flexigrid.js
(Note for SVA users: Please note that while we are requesting the use of "unsupported" to apply the hotfix, we fully support this particular procedure)
  1. Change the current working directory to /root as follows:
root@linotpappliance:~# cd /root
  1. If you wish, create a backup of the file to be replaced using the file path obtained in point 3 as follows:
root@linotpappliance:~# cp \
/usr/share/pyshared/linotp/public/js/flexigrid.js \
flexigrid.backup
Please note that we have renamed the file suffix in order to prevent accidentally overwriting the name of the new file.
  1. Replace the old file with the patched version:
root@linotpappliance:~# cp flexigrid.replace \
/usr/share/pyshared/linotp/public/js/flexigrid.js
Please note that it is necessary to rename the file as given above.
  1. [SVA only] Exit "unsupported" mode using the command "exit".

LinOTP will serve the new file for all future requests. Please note that it is possible that the old version may be cached in the browser for some time. This will depend on the browser and configuration used.

Future LinOTP versions will include this fix, so it will not be necessary to apply this hotfix to any future updates.