[Bug 1955556] Re: Javascript libraries with vulnerabilities

Jeremy Stanley 1955556 at bugs.launchpad.net
Mon Aug 1 13:53:29 UTC 2022


Balazs Gibizer: It's a grey area, but it's technically correct to say
that we don't mandate use of vulnerable jQuery. Our global requirements
and constraints lists indicate the upstream versions we test with and
know to work, which yes are vulnerable versions. OpenStack expects
security vulnerabilities in its dependencies to be patched downstream in
most cases (GNU/Linux distributions often backport security fixes to
older versions of libraries).

If Horizon developers have time to get it working and tested with newer
libraries rather than putting the dependency patching burden on
downstream consumers, then that would be great, of course, but it's
unlikely to be a backportable solution in Horizon so not something we're
going to be able to issue a security advisory for (hence the "won't fix"
state for the advisory task). Hopefully that makes sense?

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to horizon in Ubuntu.
https://bugs.launchpad.net/bugs/1955556

Title:
  Javascript libraries with vulnerabilities

Status in OpenStack Dashboard (Horizon):
  Confirmed
Status in OpenStack Security Advisory:
  Won't Fix
Status in horizon package in Ubuntu:
  Confirmed

Bug description:
  A security scan executed by a customer detected javascript libraries
  with known vulnerabilities in horizon dashboard on focal ussuri
  (3:18.3.4-0ubuntu1):

  # libraries with vulnerabilities

  ## jQuery 1.12.4
  * https://github.com/jquery/jquery/issues/2432

  ## jQuery Migrate 1.2.1
  * http://bugs.jquery.com/ticket/11290

  ## AngularJS 1.5.8
  * https://github.com/angular/angular.js/commit/726f49dcf6c23106ddaf5cfd5e2e592841db743a
  * https://github.com/angular/angular.js/blob/master/CHANGELOG.md#179-pollution-eradication-2019-11-19
  * https://nvd.nist.gov/vuln/detail/CVE-2020-7676

  
  The libraries are included via https://github.com/openstack/horizon/blob/stable/ussuri/requirements.txt

  Is it possible to updated these libraries and release an updated
  package?

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1955556/+subscriptions




More information about the Ubuntu-openstack-bugs mailing list