[
https://issues.apache.org/jira/browse/ROL-2150?focusedWorklogId=305171&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-305171
]
ASF GitHub Bot logged work on ROL-2150:
---------------------------------------
Author: ASF GitHub Bot
Created on: 02/Sep/19 12:53
Start Date: 02/Sep/19 12:53
Worklog Time Spent: 10m
Work Description: adityasharma7 commented on issue #37: WIP: Upgrade
jQuery to 3.4.1 ROL-2150
URL: https://github.com/apache/roller/pull/37#issuecomment-527137717
Thanks @snoopdave for the heads up :)
I traced back, Js libraries import using webjars dependencies is available
in master[1] & roller 6[2] but not in 5.2.x. [3] [4]
Actually I thought to make the change as per the current code of the
roller-5.2.x branch.
Though it will be a good idea to get those changes to 5.2.x.
Wdyt?
1. https://github.com/apache/roller/blob/master/app/pom.xml
2. https://github.com/apache/roller/blob/roller-6.0.x/app/pom.xml
3. https://markmail.org/message/zslwmmy5is23psc4
4. https://github.com/apache/roller/blob/roller-5.2.x/app/pom.xml
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 305171)
Time Spent: 1h 10m (was: 1h)
> Fix Js security vulnerabilities detected using retire js
> --------------------------------------------------------
>
> Key: ROL-2150
> URL: https://issues.apache.org/jira/browse/ROL-2150
> Project: Apache Roller
> Issue Type: Bug
> Components: User Interface - General
> Affects Versions: 5.2.4
> Reporter: Aditya Sharma
> Assignee: Aditya Sharma
> Priority: Major
> Time Spent: 1h 10m
> Remaining Estimate: 0h
>
> {code:java}
> /roller/app/target/roller/roller-ui/jquery-ui-1.11.0/jquery-ui.min.js
> ↳ jquery-ui-dialog 1.11.0
> jquery-ui-dialog 1.11.0 has known vulnerabilities: severity: high; CVE:
> CVE-2016-7103, bug: 281, summary: XSS Vulnerability on closeText option;
> https://github.com/jquery/api.jqueryui.com/issues/281
> https://nvd.nist.gov/vuln/detail/CVE-2016-7103
> https://snyk.io/vuln/npm:jquery-ui:20160721
> /roller/app/target/roller/roller-ui/jquery-ui-1.11.0/jquery-ui.min.js
> ↳ jquery-ui-autocomplete 1.11.0
> /roller/app/target/roller/roller-ui/scripts/jquery-2.1.1.min.js
> ↳ jquery 2.1.1
> jquery 2.1.1 has known vulnerabilities: severity: medium; issue: 2432,
> summary: 3rd party CORS request may execute, CVE: CVE-2015-9251;
> https://github.com/jquery/jquery/issues/2432
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/ severity: medium; CVE:
> CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event
> handlers; https://bugs.jquery.com/ticket/11974
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/ severity: low; CVE:
> CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop
> CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of
> Object.prototype pollution;
> https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
> https://nvd.nist.gov/vuln/detail/CVE-2019-11358
> https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
> /roller/app/src/main/webapp/roller-ui/jquery-ui-1.11.0/jquery-ui.min.js
> ↳ jquery-ui-dialog 1.11.0
> jquery-ui-dialog 1.11.0 has known vulnerabilities: severity: high; CVE:
> CVE-2016-7103, bug: 281, summary: XSS Vulnerability on closeText option;
> https://github.com/jquery/api.jqueryui.com/issues/281
> https://nvd.nist.gov/vuln/detail/CVE-2016-7103
> https://snyk.io/vuln/npm:jquery-ui:20160721
> /roller/app/src/main/webapp/roller-ui/jquery-ui-1.11.0/jquery-ui.min.js
> ↳ jquery-ui-autocomplete 1.11.0
> /roller/app/src/main/webapp/roller-ui/scripts/jquery-2.1.1.min.js
> ↳ jquery 2.1.1
> jquery 2.1.1 has known vulnerabilities: severity: medium; issue: 2432,
> summary: 3rd party CORS request may execute, CVE: CVE-2015-9251;
> https://github.com/jquery/jquery/issues/2432
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/ severity: medium; CVE:
> CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event
> handlers; https://bugs.jquery.com/ticket/11974
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/ severity: low; CVE:
> CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop
> CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of
> Object.prototype pollution;
> https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
> https://nvd.nist.gov/vuln/detail/CVE-2019-11358
> https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
> /roller/app/target/roller/themes/gaurav/js/jquery.js
> ↳ jquery 1.9.1
> jquery 1.9.1 has known vulnerabilities: severity: medium; issue: 2432,
> summary: 3rd party CORS request may execute, CVE: CVE-2015-9251;
> https://github.com/jquery/jquery/issues/2432
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/ severity: medium; CVE:
> CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event
> handlers; https://bugs.jquery.com/ticket/11974
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/ severity: low; CVE:
> CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop
> CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of
> Object.prototype pollution;
> https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
> https://nvd.nist.gov/vuln/detail/CVE-2019-11358
> https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
> /roller/app/target/test-classes/themes/gaurav/js/jquery.js
> ↳ jquery 1.9.1
> jquery 1.9.1 has known vulnerabilities: severity: medium; issue: 2432,
> summary: 3rd party CORS request may execute, CVE: CVE-2015-9251;
> https://github.com/jquery/jquery/issues/2432
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/ severity: medium; CVE:
> CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event
> handlers; https://bugs.jquery.com/ticket/11974
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/ severity: low; CVE:
> CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop
> CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of
> Object.prototype pollution;
> https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
> https://nvd.nist.gov/vuln/detail/CVE-2019-11358
> https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
> /roller/app/src/main/webapp/themes/gaurav/js/jquery.js
> ↳ jquery 1.9.1
> jquery 1.9.1 has known vulnerabilities: severity: medium; issue: 2432,
> summary: 3rd party CORS request may execute, CVE: CVE-2015-9251;
> https://github.com/jquery/jquery/issues/2432
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/ severity: medium; CVE:
> CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event
> handlers; https://bugs.jquery.com/ticket/11974
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/ severity: low; CVE:
> CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop
> CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of
> Object.prototype pollution;
> https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
> https://nvd.nist.gov/vuln/detail/CVE-2019-11358
> https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
> /roller/app/target/roller/roller-ui/authoring/editors/xinha-1.5.1/libraries/jquery-1.12.4.js
> ↳ jquery 1.12.4
> jquery 1.12.4 has known vulnerabilities: severity: medium; issue: 2432,
> summary: 3rd party CORS request may execute, CVE: CVE-2015-9251;
> https://github.com/jquery/jquery/issues/2432
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/ severity: medium; CVE:
> CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event
> handlers; https://bugs.jquery.com/ticket/11974
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/ severity: low; CVE:
> CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop
> CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of
> Object.prototype pollution;
> https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
> https://nvd.nist.gov/vuln/detail/CVE-2019-11358
> https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
> /roller/app/target/roller/roller-ui/authoring/editors/xinha-1.5.1/libraries/jquery-2.2.4.js
> ↳ jquery 2.2.4
> jquery 2.2.4 has known vulnerabilities: severity: medium; issue: 2432,
> summary: 3rd party CORS request may execute, CVE: CVE-2015-9251;
> https://github.com/jquery/jquery/issues/2432
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/ severity: medium; CVE:
> CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event
> handlers; https://bugs.jquery.com/ticket/11974
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/ severity: low; CVE:
> CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop
> CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of
> Object.prototype pollution;
> https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
> https://nvd.nist.gov/vuln/detail/CVE-2019-11358
> https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
> /roller/app/target/roller/roller-ui/authoring/editors/xinha-1.5.1/libraries/jquery-3.3.1.js
> ↳ jquery 3.3.1
> jquery 3.3.1 has known vulnerabilities: severity: low; CVE: CVE-2019-11358,
> summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other
> products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype
> pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
> https://nvd.nist.gov/vuln/detail/CVE-2019-11358
> https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
> /roller/app/target/roller/roller-ui/authoring/editors/xinha-1.5.1/unsupported_plugins/ImageManager/smart-image.js
> ↳ swfobject 2.0
> swfobject 2.0 has known vulnerabilities: severity: medium; summary: DOM-based
> XSS;
> https://github.com/swfobject/swfobject/wiki/SWFObject-Release-Notes#swfobject-v21-beta7-june-6th-2008{code}
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
