[Bug 1955556] Re: Javascript libraries with vulnerabilities
Balazs Gibizer
1955556 at bugs.launchpad.net
Wed Aug 3 15:11:39 UTC 2022
OK, so the general answer is that we expect downstream to fix the CVEs in the dependencies. We only focus on direct vulnerabilities in Horizon.
Fine by me. Thanks Jeremy.
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to horizon in Ubuntu.
https://bugs.launchpad.net/bugs/1955556
Title:
Javascript libraries with vulnerabilities
Status in OpenStack Dashboard (Horizon):
Confirmed
Status in OpenStack Security Advisory:
Won't Fix
Status in horizon package in Ubuntu:
Confirmed
Bug description:
A security scan executed by a customer detected javascript libraries
with known vulnerabilities in horizon dashboard on focal ussuri
(3:18.3.4-0ubuntu1):
# libraries with vulnerabilities
## jQuery 1.12.4
* https://github.com/jquery/jquery/issues/2432
## jQuery Migrate 1.2.1
* http://bugs.jquery.com/ticket/11290
## AngularJS 1.5.8
* https://github.com/angular/angular.js/commit/726f49dcf6c23106ddaf5cfd5e2e592841db743a
* https://github.com/angular/angular.js/blob/master/CHANGELOG.md#179-pollution-eradication-2019-11-19
* https://nvd.nist.gov/vuln/detail/CVE-2020-7676
The libraries are included via https://github.com/openstack/horizon/blob/stable/ussuri/requirements.txt
Is it possible to updated these libraries and release an updated
package?
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1955556/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list