[Bug 1955556] Re: Javascript libraries with vulnerabilities

Balazs Gibizer 1955556 at bugs.launchpad.net
Wed Aug 3 15:11:39 UTC 2022


OK, so the general answer is that we expect downstream to fix the CVEs in the dependencies. We only focus on direct vulnerabilities in Horizon.
Fine by me. Thanks Jeremy.

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to horizon in Ubuntu.
https://bugs.launchpad.net/bugs/1955556

Title:
  Javascript libraries with vulnerabilities

Status in OpenStack Dashboard (Horizon):
  Confirmed
Status in OpenStack Security Advisory:
  Won't Fix
Status in horizon package in Ubuntu:
  Confirmed

Bug description:
  A security scan executed by a customer detected javascript libraries
  with known vulnerabilities in horizon dashboard on focal ussuri
  (3:18.3.4-0ubuntu1):

  # libraries with vulnerabilities

  ## jQuery 1.12.4
  * https://github.com/jquery/jquery/issues/2432

  ## jQuery Migrate 1.2.1
  * http://bugs.jquery.com/ticket/11290

  ## AngularJS 1.5.8
  * https://github.com/angular/angular.js/commit/726f49dcf6c23106ddaf5cfd5e2e592841db743a
  * https://github.com/angular/angular.js/blob/master/CHANGELOG.md#179-pollution-eradication-2019-11-19
  * https://nvd.nist.gov/vuln/detail/CVE-2020-7676

  
  The libraries are included via https://github.com/openstack/horizon/blob/stable/ussuri/requirements.txt

  Is it possible to updated these libraries and release an updated
  package?

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1955556/+subscriptions




More information about the Ubuntu-openstack-bugs mailing list