[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: jquery / CVE-2020-7656

Brian May <bam@debian.org> writes:

> But... surprise surprise, it looks like buildFragment may be broken:

It looks like this commit might fix that:

https://github.com/jquery/jquery/commit/22ad8723ce07569a9b039c7901f29e86ad14523c

But this is a rather invasive commit. Don't think we should apply it to
Jessie.

I believe any fix we make to the package in Jessie risks:

* Breaking existing applications.
* Not fixing the problem entirely.

Plus the version in Jessie is likely to have numerous security issues
already, not just this one. Looking through some of the git commit logs
around this time seems to verify this view that there could be serious
issues in such an old version of JQuery.

I think it is a matter of:

* Leave it. I mean how likely is it that a JavaScript app will conduct
  load() on an untrusted URL anyway? Particularly with modern browsers
  with Same-origin policy - I suspect not likely.

* Update Jessie to a newer upstream version. Maybe the one in Stretch.
  Yes, there is the risk this will break stuff.

I tend to favour the first option. Mark the issue as nodsa or similar.
-- 
Brian May <bam@debian.org>
Reply to: