[
https://issues.apache.org/jira/browse/OFBIZ-13339?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux updated OFBIZ-13339:
------------------------------------
Description:
That's a problem because current qs.js version used by OFBiz is vulnerable to
DDOS attack. jsgantt-improved had not been updated for 3 years at least.
This was reported by [Dependabot|https://github.com/dependabot] at
[https://github.com/apache/ofbiz-plugins/network/updates/1194761905]
I copy it here because it will possibly be lost and I'm not sure everybody has
access.
{quote}
Dependabot cannot update qs to a non-vulnerable version
The latest possible version that can be installed is 6.5.3 because of the
following conflicting dependencies:
[email protected] requires qs@~6.5.2 via a transitive dependency on
[email protected]
No patched version available for qs
The earliest fixed version is 6.14.1.
{quote}
Dependabot offers a hand made solution:
[https://github.com/advisories/GHSA-6rw7-vpxm-498p]
The security team agreed about disabling jsgantt-improved. With information for
OFBiz users to allow them to enable it, if they are safe about related DDOS
attacks, e.g. totally secured Internet access, or preferably no access at all
(it's DDOS) !
Another part is to update request.js by hand in OFBiz.
I have created an issue for jsgantt-improved team at
https://github.com/jsGanttImproved/jsgantt-improved/issues/384
was:For this technical reason we are temporarily disabling the
projectmgr/control/ganttChart feature
> jsgantt-improved bloks qs.js update
> -----------------------------------
>
> Key: OFBIZ-13339
> URL: https://issues.apache.org/jira/browse/OFBIZ-13339
> Project: OFBiz
> Issue Type: Bug
> Components: projectmgr
> Affects Versions: 24.09.05
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: 24.09.05
>
>
> That's a problem because current qs.js version used by OFBiz is vulnerable to
> DDOS attack. jsgantt-improved had not been updated for 3 years at least.
> This was reported by [Dependabot|https://github.com/dependabot] at
> [https://github.com/apache/ofbiz-plugins/network/updates/1194761905]
> I copy it here because it will possibly be lost and I'm not sure everybody
> has access.
> {quote}
> Dependabot cannot update qs to a non-vulnerable version
> The latest possible version that can be installed is 6.5.3 because of the
> following conflicting dependencies:
> [email protected] requires qs@~6.5.2 via a transitive dependency on
> [email protected]
> No patched version available for qs
> The earliest fixed version is 6.14.1.
> {quote}
>
> Dependabot offers a hand made solution:
> [https://github.com/advisories/GHSA-6rw7-vpxm-498p]
> The security team agreed about disabling jsgantt-improved. With information
> for OFBiz users to allow them to enable it, if they are safe about related
> DDOS attacks, e.g. totally secured Internet access, or preferably no access
> at all (it's DDOS) !
> Another part is to update request.js by hand in OFBiz.
> I have created an issue for jsgantt-improved team at
> https://github.com/jsGanttImproved/jsgantt-improved/issues/384
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
