Re: OFBiz site and [ CVE-2017-16011] Cross-Site Scripting in jQuery
Great! Le 03/09/2020 à 11:37, Aditya Sharma a écrit : Indeed that makes sense Jacques. I checked we no longer use bootstrap-select plugin so removed it as an initial step. https://github.com/apache/ofbiz-site/commit/eec3090d837d6e931271596a48dca6e6c4a9aedb ofbiz-site passes the checks now https://github.com/apache/ofbiz-site/network/alerts https://github.com/apache/ofbiz-site I further plan to check and upgrade libraries to more recent versions further. Thanks and Regards, Aditya Sharma On Thu, Sep 3, 2020 at 2:34 PM Jacques Le Roux wrote: Thanks Aditya, We could think that it's not a big deal since it's only a static site. But if we were defaced that would not look great ;) Jacques Le 03/09/2020 à 08:24, Aditya Sharma a écrit : Hi Jacques, I think the dependency is related to bootstrap-select plugin. https://github.com/apache/ofbiz-site/network/alert/js/plugins/bootstrap-select/package.json/jquery/open We might not be affected, though I will have a deeper look into it soon. Thanks and regards, Aditya Sharma On Wed, Sep 2, 2020 at 10:53 PM Jacques Le Roux < jacques.le.r...@les7arts.com> wrote: Hi, I received an alert from GitHub Advisory <https://github.com/advisories about OFBiz site and [CVE-2017-16011] "Cross-Site Scripting in jQuery" Could someone test if updating to jQuery 1.9 would work? I could then, or anyone ready for that, upgrade the OFBiz site to use jQuery 1.9 Thanks Jacques
Re: OFBiz site and [ CVE-2017-16011] Cross-Site Scripting in jQuery
Indeed that makes sense Jacques. I checked we no longer use bootstrap-select plugin so removed it as an initial step. https://github.com/apache/ofbiz-site/commit/eec3090d837d6e931271596a48dca6e6c4a9aedb ofbiz-site passes the checks now https://github.com/apache/ofbiz-site/network/alerts https://github.com/apache/ofbiz-site I further plan to check and upgrade libraries to more recent versions further. Thanks and Regards, Aditya Sharma On Thu, Sep 3, 2020 at 2:34 PM Jacques Le Roux wrote: > Thanks Aditya, > > We could think that it's not a big deal since it's only a static site. But > if we were defaced that would not look great ;) > > Jacques > > Le 03/09/2020 à 08:24, Aditya Sharma a écrit : > > Hi Jacques, > > > > I think the dependency is related to bootstrap-select plugin. > > > https://github.com/apache/ofbiz-site/network/alert/js/plugins/bootstrap-select/package.json/jquery/open > > > > We might not be affected, though I will have a deeper look into it soon. > > > > Thanks and regards, > > Aditya Sharma > > > > > > On Wed, Sep 2, 2020 at 10:53 PM Jacques Le Roux < > > jacques.le.r...@les7arts.com> wrote: > > > >> Hi, > >> > >> I received an alert from GitHub Advisory <https://github.com/advisories > > > >> about OFBiz site and [CVE-2017-16011] "Cross-Site Scripting in jQuery" > >> > >> Could someone test if updating to jQuery 1.9 would work? > >> > >> I could then, or anyone ready for that, upgrade the OFBiz site to use > >> jQuery 1.9 > >> > >> Thanks > >> > >> Jacques > >> > >> >
Re: OFBiz site and [ CVE-2017-16011] Cross-Site Scripting in jQuery
Thanks Aditya, We could think that it's not a big deal since it's only a static site. But if we were defaced that would not look great ;) Jacques Le 03/09/2020 à 08:24, Aditya Sharma a écrit : Hi Jacques, I think the dependency is related to bootstrap-select plugin. https://github.com/apache/ofbiz-site/network/alert/js/plugins/bootstrap-select/package.json/jquery/open We might not be affected, though I will have a deeper look into it soon. Thanks and regards, Aditya Sharma On Wed, Sep 2, 2020 at 10:53 PM Jacques Le Roux < jacques.le.r...@les7arts.com> wrote: Hi, I received an alert from GitHub Advisory <https://github.com/advisories> about OFBiz site and [CVE-2017-16011] "Cross-Site Scripting in jQuery" Could someone test if updating to jQuery 1.9 would work? I could then, or anyone ready for that, upgrade the OFBiz site to use jQuery 1.9 Thanks Jacques
Re: OFBiz site and [ CVE-2017-16011] Cross-Site Scripting in jQuery
HI Pierre, We have it already: https://github.com/apache/ofbiz-site I subscribed to receive alerts by email Jacques Le 03/09/2020 à 08:03, Pierre Smits a écrit : Hi Jacques, Why don't we use CI and sonarcloud analysis to test these ante- and post-upgrade scenarios? Best regards Pierre Op wo 2 sep. 2020 19:23 schreef Jacques Le Roux < jacques.le.r...@les7arts.com>: Hi, I received an alert from GitHub Advisory <https://github.com/advisories> about OFBiz site and [CVE-2017-16011] "Cross-Site Scripting in jQuery" Could someone test if updating to jQuery 1.9 would work? I could then, or anyone ready for that, upgrade the OFBiz site to use jQuery 1.9 Thanks Jacques
Re: OFBiz site and [ CVE-2017-16011] Cross-Site Scripting in jQuery
Hi Jacques, I think the dependency is related to bootstrap-select plugin. https://github.com/apache/ofbiz-site/network/alert/js/plugins/bootstrap-select/package.json/jquery/open We might not be affected, though I will have a deeper look into it soon. Thanks and regards, Aditya Sharma On Wed, Sep 2, 2020 at 10:53 PM Jacques Le Roux < jacques.le.r...@les7arts.com> wrote: > Hi, > > I received an alert from GitHub Advisory <https://github.com/advisories> > about OFBiz site and [CVE-2017-16011] "Cross-Site Scripting in jQuery" > > Could someone test if updating to jQuery 1.9 would work? > > I could then, or anyone ready for that, upgrade the OFBiz site to use > jQuery 1.9 > > Thanks > > Jacques > >
Re: OFBiz site and [ CVE-2017-16011] Cross-Site Scripting in jQuery
Hi Jacques, Why don't we use CI and sonarcloud analysis to test these ante- and post-upgrade scenarios? Best regards Pierre Op wo 2 sep. 2020 19:23 schreef Jacques Le Roux < jacques.le.r...@les7arts.com>: > Hi, > > I received an alert from GitHub Advisory <https://github.com/advisories> > about OFBiz site and [CVE-2017-16011] "Cross-Site Scripting in jQuery" > > Could someone test if updating to jQuery 1.9 would work? > > I could then, or anyone ready for that, upgrade the OFBiz site to use > jQuery 1.9 > > Thanks > > Jacques > >
OFBiz site and [ CVE-2017-16011] Cross-Site Scripting in jQuery
Hi, I received an alert from GitHub Advisory <https://github.com/advisories> about OFBiz site and [CVE-2017-16011] "Cross-Site Scripting in jQuery" Could someone test if updating to jQuery 1.9 would work? I could then, or anyone ready for that, upgrade the OFBiz site to use jQuery 1.9 Thanks Jacques