[
https://issues.apache.org/jira/browse/OFBIZ-13339?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux updated OFBIZ-13339:
------------------------------------
Parent: OFBIZ-1525
Issue Type: Sub-task (was: Bug)
> jsgantt-improved bloks qs.js update
> -----------------------------------
>
> Key: OFBIZ-13339
> URL: https://issues.apache.org/jira/browse/OFBIZ-13339
> Project: OFBiz
> Issue Type: Sub-task
> Components: projectmgr
> Affects Versions: 24.09.05
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: 24.09.05
>
>
> That's a problem because current qs.js version used by OFBiz is vulnerable to
> DDOS attack. jsgantt-improved had not been updated for 3 years at least.
> This was reported by [Dependabot|https://github.com/dependabot] at
> [https://github.com/apache/ofbiz-plugins/network/updates/1194761905]
> I copy it here because it will possibly be lost and I'm not sure everybody
> has access.
> {quote}
> Dependabot cannot update qs to a non-vulnerable version
> The latest possible version that can be installed is 6.5.3 because of the
> following conflicting dependencies:
> [email protected] requires qs@~6.5.2 via a transitive dependency on
> [email protected]
> No patched version available for qs
> The earliest fixed version is 6.14.1.
> {quote}
>
> Dependabot offers a hand made solution:
> [https://github.com/advisories/GHSA-6rw7-vpxm-498p]
> The security team agreed about disabling jsgantt-improved. With information
> for OFBiz users to allow them to enable it, if they are safe about related
> DDOS attacks, e.g. totally secured Internet access, or preferably no access
> at all (it's DDOS) !
> Another part is to update request.js by hand in OFBiz.
> I have created an issue for jsgantt-improved team at
> https://github.com/jsGanttImproved/jsgantt-improved/issues/384
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
