[
https://issues.apache.org/jira/browse/ARTEMIS-3971?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17600735#comment-17600735
]
Robbie Gemmell commented on ARTEMIS-3971:
-----------------------------------------
These are part of the javadoc output on newer JDKs (following
https://openjdk.org/jeps/225), so to justins earlier comment you can simply
remove it for now.
The actual javadoc content is down to the specific JDK used to build the
output, and these have all it seems been upgraded in the JDK previously or will
be soon (e.g updated but not released yet), e.g:
https://bugs.openjdk.org/browse/JDK-8289454
https://bugs.openjdk.org/browse/JDK-8291029
https://bugs.openjdk.org/browse/JDK-8272180
It seems you can perhaps also disable the search feature and that prevents all
of their inclusions, by disabling the index. Since the search box causing the
issue was never there before (<JDK9 didnt include it), and I dont find the
index that useful really, I think that might be the simplest option to avoid
future hassles.
(Although personally I'd go further and just remove the javadoc from the broker
served bits since I expect these days most people read it from an IDE or the
site instead. For me the only time I ever looked at the broker served version
was once recently, when dropping it from non-release builds to save the massive
chunk of time the javadoc processing burns.)
> Upgrade vulnerable javascript dependencies - jQuery, jQuery UI, jszip
> ---------------------------------------------------------------------
>
> Key: ARTEMIS-3971
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3971
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Components: API
> Affects Versions: 2.24.0
> Reporter: Jakub Moravec
> Priority: Critical
>
> Please upgrade the listed libraries, as there are reported vulnerabilities
> for them, see the list below. This is a blocker for production deployments.
> [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11358]
> {quote}jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other
> products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype
> pollution. If an unsanitized source object contained an enumerable
> _{_}proto{_}_ property, it could extend the native Object.prototype.
> {quote}
> [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11022]
> {quote}In jQuery versions greater than or equal to 1.2 and before 3.5.0,
> passing HTML from untrusted sources - even after sanitizing it - to one of
> jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may
> execute untrusted code. This problem is patched in jQuery 3.5.0.
> {quote}
> [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11023]
> {quote}In jQuery versions greater than or equal to 1.0.3 and before 3.5.0,
> passing HTML containing <option> elements from untrusted sources - even after
> sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(),
> .append(), and others) may execute untrusted code. This problem is patched in
> jQuery 3.5.0.
> {quote}
> [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31160]
> {quote}jQuery UI is a curated set of user interface interactions, effects,
> widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are
> potentially vulnerable to cross-site scripting. Initializing a checkboxradio
> widget on an input enclosed within a label makes that parent label contents
> considered as the input label. Calling `.checkboxradio( "refresh" )` on such
> a widget and the initial HTML contained encoded HTML entities will make them
> erroneously get decoded. This can lead to potentially executing JavaScript
> code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue,
> someone who can change the initial HTML can wrap all the non-input contents
> of the `label` in a `span`.
> {quote}
> [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-23413]
> {quote}This affects the package jszip before 3.7.0. Crafting a new zip file
> with filenames set to Object prototype values (e.g _{_}proto{_}_, toString,
> etc) results in a returned object with a modified prototype instance.
> {quote}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
