[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: jquery / CVE-2020-7656


I think the risk of breaking things is quite significant. At least
that is my experience from updating jquery for various applications.

I guess we should then mark it as ignored, with some motivation around that.

// Ola

On Fri, 12 Jun 2020 at 00:00, Brian May <bam@debian.org> wrote:
> Brian May <bam@debian.org> writes:
> > But... surprise surprise, it looks like buildFragment may be broken:
> It looks like this commit might fix that:
> https://github.com/jquery/jquery/commit/22ad8723ce07569a9b039c7901f29e86ad14523c
> But this is a rather invasive commit. Don't think we should apply it to
> Jessie.
> I believe any fix we make to the package in Jessie risks:
> * Breaking existing applications.
> * Not fixing the problem entirely.
> Plus the version in Jessie is likely to have numerous security issues
> already, not just this one. Looking through some of the git commit logs
> around this time seems to verify this view that there could be serious
> issues in such an old version of JQuery.
> I think it is a matter of:
> * Leave it. I mean how likely is it that a JavaScript app will conduct
>   load() on an untrusted URL anyway? Particularly with modern browsers
>   with Same-origin policy - I suspect not likely.
> * Update Jessie to a newer upstream version. Maybe the one in Stretch.
>   Yes, there is the risk this will break stuff.
> I tend to favour the first option. Mark the issue as nodsa or similar.
> --
> Brian May <bam@debian.org>

 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |

Reply to: