Re: [dspace-tech] jQuery 1.6.2

2016-03-15 Thread Ilja Sidoroff 
Oops, I accidentally deleted my reply when trying to remove a spurious 
empty message. Anyway, I made a pull request for non Mirage2 themes in 
XMLUI (see issue) [1].

Ilja

[1] https://jira.duraspace.org/browse/DS-3099

lauantai 12. maaliskuuta 2016 0.43.25 UTC+2 Hardy Pottinger kirjoitti:
>
> Hi, Ilja, alas we manage our JS dependencies a bit differently than our 
> Java dependencies. [1] In the case of Mirage2, Bower is used to fetch 
> jQuery, and the version is specified with a tilde, which according to NPM 
> translates to "close enough to."[2][3]
>
> I have made a Jira ticket for upgrading our jQuery version with the UIs we 
> have right now [4]. As Tim said previously, we welcome a pull request to 
> address this.
>
> --Hardy
>
> [1] https://github.com/DSpace/DSpace/search?q=jquery
> [2] 
> http://stackoverflow.com/questions/19541494/bower-dependency-tilde-in-node
> [3] https://github.com/npm/node-semver
> [4] https://jira.duraspace.org/browse/DS-3099
>
> --
> *From:* dspac...@googlegroups.com  [dspac...@googlegroups.com 
> ] on behalf of Tim Donohue [tdon...@duraspace.org 
> ]
> *Sent:* Thursday, March 10, 2016 1:59 PM
> *To:* dspac...@googlegroups.com 
> *Subject:* Re: [dspace-tech] jQuery 1.6.2
>
> Hi Ilja,
>
> Yes, we'd encourage a Pull Request if you are willing. Thanks for making 
> us aware of this.
>
> - Tim
>
> On 3/8/2016 6:55 AM, Ilja Sidoroff wrote:
>
> At routine system scan by our IT department noticed, that mirage theme 
> uses jQuery version 1.6.2, which is vulnerable to a XSS attack [1]. I don't 
> know if this actually exploitable in DSpace, but anyway it seems that this 
> is fixable by simple bumping the version to 1.6.4. Is it worth of making a 
> pull request to fix this?
>
> Ilja Sidoroff
> Information Specialist
> University of Eastern Finland, Library
>
> [1] CVE-2011-4969 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4969
> -- 
> You received this message because you are subscribed to the Google Groups 
> "DSpace Technical Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to dspace-tech...@googlegroups.com .
> To post to this group, send email to dspac...@googlegroups.com 
> .
> Visit this group at https://groups.google.com/group/dspace-tech.
> For more options, visit https://groups.google.com/d/optout.
>
>
> -- 
> Tim Donohue
> Technical Lead for DSpace & DSpaceDirect
> DuraSpace.org | DSpace.org | DSpaceDirect.org
>
> -- 
> You received this message because you are subscribed to the Google Groups 
> "DSpace Technical Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to dspace-tech...@googlegroups.com .
> To post to this group, send email to dspac...@googlegroups.com 
> .
> Visit this group at https://groups.google.com/group/dspace-tech.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dspace-tech+unsubscr...@googlegroups.com.
To post to this group, send email to dspace-tech@googlegroups.com.
Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.

Re: [dspace-tech] jQuery 1.6.2

2016-03-15 Thread Ilja Sidoroff 
Thanks for the pointers - the issue I found was in Mirage 1, where the 
jQuery version was hardcoded in the source code. I'll try to look into 
making a pull request later today or tomorrow.

Ilja

lauantai 12. maaliskuuta 2016 0.43.25 UTC+2 Hardy Pottinger kirjoitti:
>
> Hi, Ilja, alas we manage our JS dependencies a bit differently than our 
> Java dependencies. [1] In the case of Mirage2, Bower is used to fetch 
> jQuery, and the version is specified with a tilde, which according to NPM 
> translates to "close enough to."[2][3]
>
> I have made a Jira ticket for upgrading our jQuery version with the UIs we 
> have right now [4]. As Tim said previously, we welcome a pull request to 
> address this.
>
> --Hardy
>
> [1] https://github.com/DSpace/DSpace/search?q=jquery
> [2] 
> http://stackoverflow.com/questions/19541494/bower-dependency-tilde-in-node
> [3] https://github.com/npm/node-semver
> [4] https://jira.duraspace.org/browse/DS-3099
>
> --
> *From:* dspac...@googlegroups.com  [dspac...@googlegroups.com 
> ] on behalf of Tim Donohue [tdon...@duraspace.org 
> ]
> *Sent:* Thursday, March 10, 2016 1:59 PM
> *To:* dspac...@googlegroups.com 
> *Subject:* Re: [dspace-tech] jQuery 1.6.2
>
> Hi Ilja,
>
> Yes, we'd encourage a Pull Request if you are willing. Thanks for making 
> us aware of this.
>
> - Tim
>
> On 3/8/2016 6:55 AM, Ilja Sidoroff wrote:
>
> At routine system scan by our IT department noticed, that mirage theme 
> uses jQuery version 1.6.2, which is vulnerable to a XSS attack [1]. I don't 
> know if this actually exploitable in DSpace, but anyway it seems that this 
> is fixable by simple bumping the version to 1.6.4. Is it worth of making a 
> pull request to fix this?
>
> Ilja Sidoroff
> Information Specialist
> University of Eastern Finland, Library
>
> [1] CVE-2011-4969 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4969
> -- 
> You received this message because you are subscribed to the Google Groups 
> "DSpace Technical Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to dspace-tech...@googlegroups.com .
> To post to this group, send email to dspac...@googlegroups.com 
> .
> Visit this group at https://groups.google.com/group/dspace-tech.
> For more options, visit https://groups.google.com/d/optout.
>
>
> -- 
> Tim Donohue
> Technical Lead for DSpace & DSpaceDirect
> DuraSpace.org | DSpace.org | DSpaceDirect.org
>
> -- 
> You received this message because you are subscribed to the Google Groups 
> "DSpace Technical Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to dspace-tech...@googlegroups.com .
> To post to this group, send email to dspac...@googlegroups.com 
> .
> Visit this group at https://groups.google.com/group/dspace-tech.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dspace-tech+unsubscr...@googlegroups.com.
To post to this group, send email to dspace-tech@googlegroups.com.
Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.

RE: [dspace-tech] jQuery 1.6.2

2016-03-11 Thread Pottinger, Hardy J. 
Hi, Ilja, alas we manage our JS dependencies a bit differently than our Java 
dependencies. [1] In the case of Mirage2, Bower is used to fetch jQuery, and 
the version is specified with a tilde, which according to NPM translates to 
"close enough to."[2][3]

I have made a Jira ticket for upgrading our jQuery version with the UIs we have 
right now [4]. As Tim said previously, we welcome a pull request to address 
this.

--Hardy

[1] https://github.com/DSpace/DSpace/search?q=jquery
[2] http://stackoverflow.com/questions/19541494/bower-dependency-tilde-in-node
[3] https://github.com/npm/node-semver
[4] https://jira.duraspace.org/browse/DS-3099


From: dspace-tech@googlegroups.com [dspace-tech@googlegroups.com] on behalf of 
Tim Donohue [tdono...@duraspace.org]
Sent: Thursday, March 10, 2016 1:59 PM
To: dspace-tech@googlegroups.com
Subject: Re: [dspace-tech] jQuery 1.6.2

Hi Ilja,

Yes, we'd encourage a Pull Request if you are willing. Thanks for making us 
aware of this.

- Tim

On 3/8/2016 6:55 AM, Ilja Sidoroff wrote:
At routine system scan by our IT department noticed, that mirage theme uses 
jQuery version 1.6.2, which is vulnerable to a XSS attack [1]. I don't know if 
this actually exploitable in DSpace, but anyway it seems that this is fixable 
by simple bumping the version to 1.6.4. Is it worth of making a pull request to 
fix this?

Ilja Sidoroff
Information Specialist
University of Eastern Finland, Library

[1] CVE-2011-4969 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4969
--
You received this message because you are subscribed to the Google Groups 
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to 
dspace-tech+unsubscr...@googlegroups.com<mailto:dspace-tech+unsubscr...@googlegroups.com>.
To post to this group, send email to 
dspace-tech@googlegroups.com<mailto:dspace-tech@googlegroups.com>.
Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.


--
Tim Donohue
Technical Lead for DSpace & DSpaceDirect
DuraSpace.org | DSpace.org | DSpaceDirect.org

--
You received this message because you are subscribed to the Google Groups 
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to 
dspace-tech+unsubscr...@googlegroups.com<mailto:dspace-tech+unsubscr...@googlegroups.com>.
To post to this group, send email to 
dspace-tech@googlegroups.com<mailto:dspace-tech@googlegroups.com>.
Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dspace-tech+unsubscr...@googlegroups.com.
To post to this group, send email to dspace-tech@googlegroups.com.
Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.

Re: [dspace-tech] jQuery 1.6.2

2016-03-10 Thread Tim Donohue 

Hi Ilja,

Yes, we'd encourage a Pull Request if you are willing. Thanks for making 
us aware of this.


- Tim

On 3/8/2016 6:55 AM, Ilja Sidoroff wrote:
At routine system scan by our IT department noticed, that mirage theme 
uses jQuery version 1.6.2, which is vulnerable to a XSS attack [1]. I 
don't know if this actually exploitable in DSpace, but anyway it seems 
that this is fixable by simple bumping the version to 1.6.4. Is it 
worth of making a pull request to fix this?


Ilja Sidoroff
Information Specialist
University of Eastern Finland, Library

[1] CVE-2011-4969 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4969

--
You received this message because you are subscribed to the Google 
Groups "DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to dspace-tech+unsubscr...@googlegroups.com 
.
To post to this group, send email to dspace-tech@googlegroups.com 
.

Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.


--
Tim Donohue
Technical Lead for DSpace & DSpaceDirect
DuraSpace.org | DSpace.org | DSpaceDirect.org

--
You received this message because you are subscribed to the Google Groups "DSpace 
Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dspace-tech+unsubscr...@googlegroups.com.
To post to this group, send email to dspace-tech@googlegroups.com.
Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.

[dspace-tech] jQuery 1.6.2

2016-03-08 Thread Ilja Sidoroff 
At routine system scan by our IT department noticed, that mirage theme uses 
jQuery version 1.6.2, which is vulnerable to a XSS attack [1]. I don't know 
if this actually exploitable in DSpace, but anyway it seems that this is 
fixable by simple bumping the version to 1.6.4. Is it worth of making a 
pull request to fix this?

Ilja Sidoroff
Information Specialist
University of Eastern Finland, Library

[1] CVE-2011-4969 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4969

-- 
You received this message because you are subscribed to the Google Groups 
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dspace-tech+unsubscr...@googlegroups.com.
To post to this group, send email to dspace-tech@googlegroups.com.
Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.