[jira] [Created] (YARN-10445) Update Jquery to 3.5.1

Fri, 18 Sep 2020 13:46:00 -0700 

James Stroud created YARN-10445:
-----------------------------------

             Summary: Update Jquery to 3.5.1
                 Key: YARN-10445
                 URL: https://issues.apache.org/jira/browse/YARN-10445
             Project: Hadoop YARN
          Issue Type: Bug
          Components: yarn-ui-v2
    Affects Versions: 3.1.1
            Reporter: James Stroud


Hi, we are using Cloudera Hortonworks Data Platform 3.1.0 (I know 3.1.5 is out 
but we are not on it yet) but 3.1.5 has  the same issue.

Our security team scanned our yarn UI and insists that we upgrade the jquery 
from 3.3.1 to 3.5.1 to close a security issue.  I know that yarn will never be 
exposed to the internet but the security team does not care (don't ask).

This is the issue they want fixed

[https://snyk.io/test/npm/jquery/3.3.1]

https://www.cvedetails.com/cve/CVE-2019-11358/

 

Can someone upgrade the jquery in yarn from 3.3.1 to 3.5.1?  We noticed this is 
bundled in a file called vendor.js

located here

[hadoop-tools/hadoop-sls/src/main/html/js/thirdparty/jquery.js|https://github.com/apache/hadoop/blob/a55d6bba71c81c1c4e9d8cd11f55c78f10a548b0/hadoop-tools/hadoop-sls/src/main/html/js/thirdparty/jquery.js]

 

FYI When I did these upgrades to other parts of our internal application (not 
on HDP) the upgraded version of jquery just worked without any code changes 
other than referring to the new file as jquery hard codes the version in its 
filename (e.g., jquery-3.5.1.min.js) for version 3.5.1

[https://jquery.com/download/]

 

I could possibly fix this if I had access to your source code and was allowed 
to create a branch.

 

Thanks James Stroud

PS I work for IBM but I signed up with my personal email account

my IBM emails is [stro...@us.ibm.com|mailto:stro...@us.ibm.com]

 

Also I apologize if I made mistakes creating this issue as I was not sure of 
what to put in for some fields.

 

I put this as a minor issue but I'm sure my security team would deem this 
higher than that.

 

 

 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to