[Bug 1955556] Re: Javascript libraries with vulnerabilities

Fri Aug 4 08:21:01 UTC 2023

Reviewed:  https://review.opendev.org/c/openstack/horizon/+/890217
Committed: https://opendev.org/openstack/horizon/commit/20bdaa386791cc23809b298762217dd1a2b0f071
Submitter: "Zuul (22348)"
Branch:    master

commit 20bdaa386791cc23809b298762217dd1a2b0f071
Author: manchandavishal <manchandavishal143 at gmail.com>
Date:   Tue Aug 1 21:06:07 2023 +0530

    Bump minor version of XStatic-jQuery

    This patch update minor version of XStatic-jQuery
    to 3.5.1.1 in the ``requirements.txt`` file.

    Closes-bug: #1955556
    Change-Id: I8fdcdddac6869af59a330d1181aed83c2c5770b3

** Changed in: horizon
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to horizon in Ubuntu.
https://bugs.launchpad.net/bugs/1955556

Title:
  Javascript libraries with vulnerabilities

Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix
Status in horizon package in Ubuntu:
  Confirmed

Bug description:
  A security scan executed by a customer detected javascript libraries
  with known vulnerabilities in horizon dashboard on focal ussuri
  (3:18.3.4-0ubuntu1):

  # libraries with vulnerabilities

  ## jQuery 1.12.4
  * https://github.com/jquery/jquery/issues/2432

  ## jQuery Migrate 1.2.1
  * http://bugs.jquery.com/ticket/11290

  ## AngularJS 1.5.8
  * https://github.com/angular/angular.js/commit/726f49dcf6c23106ddaf5cfd5e2e592841db743a
  * https://github.com/angular/angular.js/blob/master/CHANGELOG.md#179-pollution-eradication-2019-11-19
  * https://nvd.nist.gov/vuln/detail/CVE-2020-7676

  The libraries are included via https://github.com/openstack/horizon/blob/stable/ussuri/requirements.txt

  Is it possible to updated these libraries and release an updated
  package?

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1955556/+subscriptions