https://bugs.launchpad.net/horizon/+bug/1960489 got duplicated to this
bug. In that bug I listed 4 CVEs where, based on the CVE description,
the issues only fixed in JQuery >= 3 (and 3.5 in some cases). This bug
is marked as Invalid from upstream perspective stating that "From an
upstream OpenStack perspective, we don't mandate use of vulnerable
versions of dependencies, as the suggested version ranges in the
requirements.txt you linked can confirm." But upstream Horizon do states
JQuery < 2 which means we do mandate impacted JQuery versions. I'm
marking this as New again to get attention to this new fact.
** Changed in: horizon
Status: Invalid => New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1955556
Title:
Javascript libraries with vulnerabilities
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1955556/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
