[ 
https://issues.apache.org/jira/browse/ROL-2150?focusedWorklogId=305147&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-305147
 ]

ASF GitHub Bot logged work on ROL-2150:
---------------------------------------

                Author: ASF GitHub Bot
            Created on: 02/Sep/19 11:44
            Start Date: 02/Sep/19 11:44
    Worklog Time Spent: 10m 
      Work Description: snoopdave commented on issue #37: WIP: Upgrade jQuery 
to 3.4.1  ROL-2150
URL: https://github.com/apache/roller/pull/37#issuecomment-527117017
 
 
   This a a good idea to update jQuery and the right way to do it is by 
changing the Webjars dependency the Roller app's pom.xml file. This is what is 
in there now:
   
   ```        
          <dependency>
               <groupId>org.webjars</groupId>
               <artifactId>jquery</artifactId>
               <version>3.3.1</version>
           </dependency>
   
           <dependency>
               <groupId>org.webjars</groupId>
               <artifactId>jquery-ui</artifactId>
               <version>1.12.1</version>
           </dependency>
   ```
   
   The webjars dependecies are imported into the web pages via head.jsp.
   
   We should remove the jQuery files from Roller's repo by removing these 
direrectories
   `app/src/main/webapp/roller-ui/js/jquery*` and we should remove the 
references to that directory in all of the JSP files that you changed.  All of 
those files should instead get the jQuery dependency from head.jsp which is 
included in all JSP files (via Struts / Tiles).
   
   This will make it easier to upgrade jQuery in the future because we will 
only need to change `pom.xml` and `head.jsp`.
   
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


Issue Time Tracking
-------------------

    Worklog Id:     (was: 305147)
    Time Spent: 40m  (was: 0.5h)

> Fix Js security vulnerabilities detected using retire js
> --------------------------------------------------------
>
>                 Key: ROL-2150
>                 URL: https://issues.apache.org/jira/browse/ROL-2150
>             Project: Apache Roller
>          Issue Type: Bug
>          Components: User Interface - General
>    Affects Versions: 5.2.4
>            Reporter: Aditya Sharma
>            Assignee: Aditya Sharma
>            Priority: Major
>          Time Spent: 40m
>  Remaining Estimate: 0h
>
> {code:java}
> /roller/app/target/roller/roller-ui/jquery-ui-1.11.0/jquery-ui.min.js
>  ↳ jquery-ui-dialog 1.11.0
> jquery-ui-dialog 1.11.0 has known vulnerabilities: severity: high; CVE: 
> CVE-2016-7103, bug: 281, summary: XSS Vulnerability on closeText option; 
> https://github.com/jquery/api.jqueryui.com/issues/281 
> https://nvd.nist.gov/vuln/detail/CVE-2016-7103 
> https://snyk.io/vuln/npm:jquery-ui:20160721
> /roller/app/target/roller/roller-ui/jquery-ui-1.11.0/jquery-ui.min.js
>  ↳ jquery-ui-autocomplete 1.11.0
> /roller/app/target/roller/roller-ui/scripts/jquery-2.1.1.min.js
>  ↳ jquery 2.1.1
> jquery 2.1.1 has known vulnerabilities: severity: medium; issue: 2432, 
> summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; 
> https://github.com/jquery/jquery/issues/2432 
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ 
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251 
> http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: 
> CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event 
> handlers; https://bugs.jquery.com/ticket/11974 
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251 
> http://research.insecurelabs.org/jquery/test/ severity: low; CVE: 
> CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop 
> CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of 
> Object.prototype pollution; 
> https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ 
> https://nvd.nist.gov/vuln/detail/CVE-2019-11358 
> https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
> /roller/app/src/main/webapp/roller-ui/jquery-ui-1.11.0/jquery-ui.min.js
>  ↳ jquery-ui-dialog 1.11.0
> jquery-ui-dialog 1.11.0 has known vulnerabilities: severity: high; CVE: 
> CVE-2016-7103, bug: 281, summary: XSS Vulnerability on closeText option; 
> https://github.com/jquery/api.jqueryui.com/issues/281 
> https://nvd.nist.gov/vuln/detail/CVE-2016-7103 
> https://snyk.io/vuln/npm:jquery-ui:20160721
> /roller/app/src/main/webapp/roller-ui/jquery-ui-1.11.0/jquery-ui.min.js
>  ↳ jquery-ui-autocomplete 1.11.0
> /roller/app/src/main/webapp/roller-ui/scripts/jquery-2.1.1.min.js
>  ↳ jquery 2.1.1
> jquery 2.1.1 has known vulnerabilities: severity: medium; issue: 2432, 
> summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; 
> https://github.com/jquery/jquery/issues/2432 
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ 
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251 
> http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: 
> CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event 
> handlers; https://bugs.jquery.com/ticket/11974 
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251 
> http://research.insecurelabs.org/jquery/test/ severity: low; CVE: 
> CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop 
> CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of 
> Object.prototype pollution; 
> https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ 
> https://nvd.nist.gov/vuln/detail/CVE-2019-11358 
> https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
> /roller/app/target/roller/themes/gaurav/js/jquery.js
>  ↳ jquery 1.9.1
> jquery 1.9.1 has known vulnerabilities: severity: medium; issue: 2432, 
> summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; 
> https://github.com/jquery/jquery/issues/2432 
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ 
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251 
> http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: 
> CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event 
> handlers; https://bugs.jquery.com/ticket/11974 
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251 
> http://research.insecurelabs.org/jquery/test/ severity: low; CVE: 
> CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop 
> CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of 
> Object.prototype pollution; 
> https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ 
> https://nvd.nist.gov/vuln/detail/CVE-2019-11358 
> https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
> /roller/app/target/test-classes/themes/gaurav/js/jquery.js
>  ↳ jquery 1.9.1
> jquery 1.9.1 has known vulnerabilities: severity: medium; issue: 2432, 
> summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; 
> https://github.com/jquery/jquery/issues/2432 
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ 
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251 
> http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: 
> CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event 
> handlers; https://bugs.jquery.com/ticket/11974 
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251 
> http://research.insecurelabs.org/jquery/test/ severity: low; CVE: 
> CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop 
> CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of 
> Object.prototype pollution; 
> https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ 
> https://nvd.nist.gov/vuln/detail/CVE-2019-11358 
> https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
> /roller/app/src/main/webapp/themes/gaurav/js/jquery.js
>  ↳ jquery 1.9.1
> jquery 1.9.1 has known vulnerabilities: severity: medium; issue: 2432, 
> summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; 
> https://github.com/jquery/jquery/issues/2432 
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ 
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251 
> http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: 
> CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event 
> handlers; https://bugs.jquery.com/ticket/11974 
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251 
> http://research.insecurelabs.org/jquery/test/ severity: low; CVE: 
> CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop 
> CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of 
> Object.prototype pollution; 
> https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ 
> https://nvd.nist.gov/vuln/detail/CVE-2019-11358 
> https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
> /roller/app/target/roller/roller-ui/authoring/editors/xinha-1.5.1/libraries/jquery-1.12.4.js
>  ↳ jquery 1.12.4
> jquery 1.12.4 has known vulnerabilities: severity: medium; issue: 2432, 
> summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; 
> https://github.com/jquery/jquery/issues/2432 
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ 
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251 
> http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: 
> CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event 
> handlers; https://bugs.jquery.com/ticket/11974 
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251 
> http://research.insecurelabs.org/jquery/test/ severity: low; CVE: 
> CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop 
> CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of 
> Object.prototype pollution; 
> https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ 
> https://nvd.nist.gov/vuln/detail/CVE-2019-11358 
> https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
> /roller/app/target/roller/roller-ui/authoring/editors/xinha-1.5.1/libraries/jquery-2.2.4.js
>  ↳ jquery 2.2.4
> jquery 2.2.4 has known vulnerabilities: severity: medium; issue: 2432, 
> summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; 
> https://github.com/jquery/jquery/issues/2432 
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ 
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251 
> http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: 
> CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event 
> handlers; https://bugs.jquery.com/ticket/11974 
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251 
> http://research.insecurelabs.org/jquery/test/ severity: low; CVE: 
> CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop 
> CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of 
> Object.prototype pollution; 
> https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ 
> https://nvd.nist.gov/vuln/detail/CVE-2019-11358 
> https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
> /roller/app/target/roller/roller-ui/authoring/editors/xinha-1.5.1/libraries/jquery-3.3.1.js
>  ↳ jquery 3.3.1
> jquery 3.3.1 has known vulnerabilities: severity: low; CVE: CVE-2019-11358, 
> summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other 
> products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype 
> pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ 
> https://nvd.nist.gov/vuln/detail/CVE-2019-11358 
> https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
> /roller/app/target/roller/roller-ui/authoring/editors/xinha-1.5.1/unsupported_plugins/ImageManager/smart-image.js
>  ↳ swfobject 2.0
> swfobject 2.0 has known vulnerabilities: severity: medium; summary: DOM-based 
> XSS; 
> https://github.com/swfobject/swfobject/wiki/SWFObject-Release-Notes#swfobject-v21-beta7-june-6th-2008{code}



--
This message was sent by Atlassian Jira
(v8.3.2#803003)

Reply via email to