[Yahoo-eng-team] [Bug 1721193] Re: Outdated and vulnerable versions of Javascript libraries
Horizon uses xstatic-jquery 1.12.4.1 since Sep 26 2018. 1.12.4 is the latest jquery release. As Mathias commented above, the maintenance of xstatic-jquery is decoupled with horizon, but horizon is responsible for making horizon work with the latest stable of jquery 1.x series at least. We now use the latest stable of jquery 1.x so I am marking it as Fix Released. (I don't mark it as Invalid as we used 1.10.x when the bug is reported.) FYI: Note that the horizon team is considering the switch to jquery 3 but it is still on the way as we hit test failures. ** Changed in: horizon Status: Incomplete => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/1721193 Title: Outdated and vulnerable versions of Javascript libraries Status in OpenStack Dashboard (Horizon): Fix Released Status in OpenStack Security Advisory: Won't Fix Bug description: One or more vulnerabilities were reported for few outdated version of the Javascript libraries, used by horizon. Suggestion is to upgrade to the latest version. /dashboard/static/dashboard/js/5508d0ed7005.js /dashboard/static/horizon/lib/jquery/jquery.js /dashboard/static/horizon/lib/jquery/jquery.min.js /dashboard/static/horizon/lib/jquery_migrate/jquery-migrate.js /dashboard/static/horizon/lib/jquery_migrate/jquery-migrate.min.js /dashboard/static/horizon/lib/jquery_ui/ui/jquery-ui.js /dashboard/static/horizon/lib/jquery_ui/ui/jquery.ui.dialog.js /dashboard/static/horizon/lib/jquery_ui/ui/minified/jquery-ui.min.js To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1721193/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1721193] Re: Outdated and vulnerable versions of Javascript libraries
I've set our security advisory task for this to Won't Fix as it's a class C2 report per our taxonomy (A vulnerability, but not in OpenStack supported code, e.g., in a dependency): https://security.openstack.org /vmt-process.html#incident-report-taxonomy ** Changed in: ossa Status: Incomplete => Won't Fix ** Information type changed from Public Security to Public ** Tags added: security -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/1721193 Title: Outdated and vulnerable versions of Javascript libraries Status in OpenStack Dashboard (Horizon): Incomplete Status in OpenStack Security Advisory: Won't Fix Bug description: One or more vulnerabilities were reported for few outdated version of the Javascript libraries, used by horizon. Suggestion is to upgrade to the latest version. /dashboard/static/dashboard/js/5508d0ed7005.js /dashboard/static/horizon/lib/jquery/jquery.js /dashboard/static/horizon/lib/jquery/jquery.min.js /dashboard/static/horizon/lib/jquery_migrate/jquery-migrate.js /dashboard/static/horizon/lib/jquery_migrate/jquery-migrate.min.js /dashboard/static/horizon/lib/jquery_ui/ui/jquery-ui.js /dashboard/static/horizon/lib/jquery_ui/ui/jquery.ui.dialog.js /dashboard/static/horizon/lib/jquery_ui/ui/minified/jquery-ui.min.js To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1721193/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
