[jira] [Commented] (DRILL-7705) Update jQuery and Bootstrap libraries

Thu, 23 Apr 2020 02:51:25 -0700 


    [ 
https://issues.apache.org/jira/browse/DRILL-7705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17090449#comment-17090449
 ] 

ASF GitHub Bot commented on DRILL-7705:
---------------------------------------

agozhiy opened a new pull request #2066:
URL: https://github.com/apache/drill/pull/2066


   # [DRILL-7705](https://issues.apache.org/jira/browse/DRILL-7705): Updated 
jQuery and Bootstrap libraries
   
   ## Description
   
   - jQuery: 3.2.1 -> 3.4.1
   - Bootstrap: 3.1.1 -> 4.4.1
   - Also fixed styles that were considerably broken after the update.
   
   Note: the latest version of jQuery is 3.5.0 but I had to revert it to 3.4.1 
due to broken collapse mechanism (it is widely used on profile page). See 
https://github.com/twbs/bootstrap/issues/30553 for details.
   
   ## Documentation
   No new functionality.
   
   ## Testing
   Manually verified the Web UI, ran usual set of unit/functional tests.
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]


> Update jQuery and Bootstrap libraries
> -------------------------------------
>
>                 Key: DRILL-7705
>                 URL: https://issues.apache.org/jira/browse/DRILL-7705
>             Project: Apache Drill
>          Issue Type: Improvement
>    Affects Versions: 1.17.0
>            Reporter: Anton Gozhiy
>            Assignee: Anton Gozhiy
>            Priority: Major
>             Fix For: 1.18.0
>
>
> There are some vulnerabilities present in jQuery and Bootstrap libraries used 
> in Drill:
> * jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, 
> mishandles jQuery.extend(true, {}, ...) because of Object.prototype 
> pollution. If an unsanitized source object contained an enumerable __proto__ 
> property, it could extend the native Object.prototype.
> * In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent 
> attribute.
> * In Bootstrap before 4.1.2, XSS is possible in the data-container property 
> of tooltip.
> * In Bootstrap before 3.4.0, XSS is possible in the affix configuration 
> target property.
> * In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the 
> tooltip or popover data-template attribute.
> The following update is suggested to fix them:
> * jQuery: 3.2.1 -> 3.5.0
> * Bootstrap: 3.1.1 -> 4.4.1



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to