[Bug 1955556] Re: Javascript libraries with vulnerabilities
Jeremy Stanley
1955556 at bugs.launchpad.net
Mon Aug 1 13:53:29 UTC 2022
Balazs Gibizer: It's a grey area, but it's technically correct to say
that we don't mandate use of vulnerable jQuery. Our global requirements
and constraints lists indicate the upstream versions we test with and
know to work, which yes are vulnerable versions. OpenStack expects
security vulnerabilities in its dependencies to be patched downstream in
most cases (GNU/Linux distributions often backport security fixes to
older versions of libraries).
If Horizon developers have time to get it working and tested with newer
libraries rather than putting the dependency patching burden on
downstream consumers, then that would be great, of course, but it's
unlikely to be a backportable solution in Horizon so not something we're
going to be able to issue a security advisory for (hence the "won't fix"
state for the advisory task). Hopefully that makes sense?
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to horizon in Ubuntu.
https://bugs.launchpad.net/bugs/1955556
Title:
Javascript libraries with vulnerabilities
Status in OpenStack Dashboard (Horizon):
Confirmed
Status in OpenStack Security Advisory:
Won't Fix
Status in horizon package in Ubuntu:
Confirmed
Bug description:
A security scan executed by a customer detected javascript libraries
with known vulnerabilities in horizon dashboard on focal ussuri
(3:18.3.4-0ubuntu1):
# libraries with vulnerabilities
## jQuery 1.12.4
* https://github.com/jquery/jquery/issues/2432
## jQuery Migrate 1.2.1
* http://bugs.jquery.com/ticket/11290
## AngularJS 1.5.8
* https://github.com/angular/angular.js/commit/726f49dcf6c23106ddaf5cfd5e2e592841db743a
* https://github.com/angular/angular.js/blob/master/CHANGELOG.md#179-pollution-eradication-2019-11-19
* https://nvd.nist.gov/vuln/detail/CVE-2020-7676
The libraries are included via https://github.com/openstack/horizon/blob/stable/ussuri/requirements.txt
Is it possible to updated these libraries and release an updated
package?
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1955556/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list