[jira] [Resolved] (SLING-7789) Security bug CVE-2015-9251 with some sling dependent jars

Mon, 30 Jul 2018 04:04:49 -0700 


     [ 
https://issues.apache.org/jira/browse/SLING-7789?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robert Munteanu resolved SLING-7789.
------------------------------------
    Resolution: Won't Fix

[~Varun G] - thank you for your report. For the sling explorer part - we're not 
shipping that anymore as part of the Sling Starter ( formerly named the Sling 
Launchpad ) so there's nothing for us to do here.

For the Felix Web Console please file a bug with the Felix project. Thanks!

> Security bug CVE-2015-9251 with some sling dependent jars
> ---------------------------------------------------------
>
>                 Key: SLING-7789
>                 URL: https://issues.apache.org/jira/browse/SLING-7789
>             Project: Sling
>          Issue Type: Bug
>          Components: Extensions, Launchpad
>    Affects Versions: Launchpad Builder 6, Sling Explorer 1.0.2, Sling 
> Explorer 1.0.4
>            Reporter: Varun Ganesh
>            Priority: Major
>
> Hi Experts,
>     In our product we are using Sling version 6 in one of our 
> release.(Working on Migration to Sling 10 for next versions)
>     Recently we came across a security bug CVE-2015-9251.
>     (CVE-2015-9251 is a vulnerability to allow an attacker to execute 
> arbitrary code when text/javascript responses are received from cross-origin 
> ajax requests not containing the option `dataType`. Its CVSS score is 6.1 in 
> NVD.).
>     
>    To fix this an up-gradation of jQuery to versions greater than 3.0.0 is 
> required.
>     
>     In our product we are using two Sling dependencies which contains jQuery.
>     1) org.apache.sling.launchpad.webapp - v6 (war) - contains 
> org.apache.felix.webconsole-3.1.6.jar which internally uses jQuery v1.3.2.js.
>     2) org.apache.sling.extensions.explorer - v1.0.3(jar) - contains jQuery 
> v1.4.2.min.js
>     
>     As part of the fix for the security bug we need to upgrade the jQuery in 
> the jars that are mentioned above.
>     For that we checked the latest versions for the above mentioned jars and 
> identified that the jQuery versions are not above v3.0.0.
>     So could you please help us in upgrading them as soon as possible.
>     
> Thanks,
> Varun.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to