yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1955556] Re: Javascript libraries with vulnerabilities

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Balazs Gibizer <1955556@xxxxxxxxxxxxxxxxxx>
Date: Fri, 11 Feb 2022 09:24:51 -0000
Reply-to: Bug 1955556 <1955556@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

https://bugs.launchpad.net/horizon/+bug/1960489 got duplicated to this
bug. In that bug I listed 4 CVEs where, based on the CVE description,
the issues only fixed in JQuery >= 3 (and 3.5 in some cases). This bug
is marked as Invalid from upstream perspective stating that "From an
upstream OpenStack perspective, we don't mandate use of vulnerable
versions of dependencies, as the suggested version ranges in the
requirements.txt you linked can confirm." But upstream Horizon do states
JQuery < 2 which means we do mandate impacted JQuery versions. I'm
marking this as New again to get attention to this new fact.

** Changed in: horizon
       Status: Invalid => New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1955556

Title:
  Javascript libraries with vulnerabilities

Status in OpenStack Dashboard (Horizon):
  New
Status in OpenStack Security Advisory:
  Won't Fix
Status in horizon package in Ubuntu:
  Confirmed

Bug description:
  A security scan executed by a customer detected javascript libraries
  with known vulnerabilities in horizon dashboard on focal ussuri
  (3:18.3.4-0ubuntu1):

  # libraries with vulnerabilities

  ## jQuery 1.12.4
  * https://github.com/jquery/jquery/issues/2432

  ## jQuery Migrate 1.2.1
  * http://bugs.jquery.com/ticket/11290

  ## AngularJS 1.5.8
  * https://github.com/angular/angular.js/commit/726f49dcf6c23106ddaf5cfd5e2e592841db743a
  * https://github.com/angular/angular.js/blob/master/CHANGELOG.md#179-pollution-eradication-2019-11-19
  * https://nvd.nist.gov/vuln/detail/CVE-2020-7676

  
  The libraries are included via https://github.com/openstack/horizon/blob/stable/ussuri/requirements.txt

  Is it possible to updated these libraries and release an updated
  package?

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1955556/+subscriptions