Re: jquery / CVE-2020-7656
Hi
I think the risk of breaking things is quite significant. At least
that is my experience from updating jquery for various applications.
I guess we should then mark it as ignored, with some motivation around that.
// Ola
On Fri, 12 Jun 2020 at 00:00, Brian May <bam@debian.org> wrote:
>
> Brian May <bam@debian.org> writes:
>
> > But... surprise surprise, it looks like buildFragment may be broken:
>
> It looks like this commit might fix that:
>
> https://github.com/jquery/jquery/commit/22ad8723ce07569a9b039c7901f29e86ad14523c
>
> But this is a rather invasive commit. Don't think we should apply it to
> Jessie.
>
> I believe any fix we make to the package in Jessie risks:
>
> * Breaking existing applications.
> * Not fixing the problem entirely.
>
> Plus the version in Jessie is likely to have numerous security issues
> already, not just this one. Looking through some of the git commit logs
> around this time seems to verify this view that there could be serious
> issues in such an old version of JQuery.
>
> I think it is a matter of:
>
> * Leave it. I mean how likely is it that a JavaScript app will conduct
> load() on an untrusted URL anyway? Particularly with modern browsers
> with Same-origin policy - I suspect not likely.
>
> * Update Jessie to a newer upstream version. Maybe the one in Stretch.
> Yes, there is the risk this will break stuff.
>
> I tend to favour the first option. Mark the issue as nodsa or similar.
> --
> Brian May <bam@debian.org>
>
--
--- Inguza Technology AB --- MSc in Information Technology ----
| ola@inguza.com opal@debian.org |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
---------------------------------------------------------------
Reply to: