Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

jquery dependency needs to be updated to 3.5.0 or newer #10429

Closed
breser opened this issue Aug 20, 2020 · 5 comments · Fixed by #16440
Closed

jquery dependency needs to be updated to 3.5.0 or newer #10429

breser opened this issue Aug 20, 2020 · 5 comments · Fixed by #16440
Labels
kind:bug This is a clearly a bug

Comments

@breser
Copy link
Member

breser commented Aug 20, 2020

Currently you're requring jquery 3.4.0 or newer, 3.5.0 has a vulnerability against it.

CVE-2020-11022

Change is needed to these two lines:
https://github.com/apache/airflow/blob/master/airflow/www/package.json#L70
https://github.com/apache/airflow/blob/master/airflow/www/package.json#L48

@breser breser added the kind:bug This is a clearly a bug label Aug 20, 2020
@boring-cyborg
Copy link

boring-cyborg bot commented Aug 20, 2020

Thanks for opening your first issue here! Be sure to follow the issue template!

@potiuk
Copy link
Member

potiuk commented Aug 23, 2020

Would you be so kind to make a PR with that? It shoudl be rather easy?

BTW. When you open a new "security" issue from template, you should get information that the right way of raising security issues is through [email protected] -> that's the responsible disclosure policy that is valid fora all Apache organisation. https://www.apache.org/security/

Then such a vulnerability can be fixed before it gets disclosed.

breser added a commit to breser/airflow that referenced this issue Sep 2, 2020
There is a vulnerability in the version currently being used.
GHSA-gxr4-xjj5-5px2
@breser
Copy link
Member Author

breser commented Sep 2, 2020

Pull request made.

I did not email [email protected] because I frankly don't consider this to be worth going through that process. This vulnerability is not in any way "secret". It's a vulnerability in a dependency, that Nessus is already alerting on against running airflow servers (mostly because of some networking equipment that happens to put jquery on a similar path not because they coded it specifically for airflow). I'm not providing any information about a working exploit against airflow. I'm not even sure one exists because I didn't sit down and research how you used jquery to see if you're using the functionality that has issues.

@potiuk
Copy link
Member

potiuk commented Sep 3, 2020

Pull request made.

Thanks! I saw that the Astronomer's team will test it once they get the .lock file . Thanks for that :)

I did not email [email protected] because I frankly don't consider this to be worth going through that process. This vulnerability is not in any way "secret". It's a vulnerability in a dependency, that Nessus is already alerting on against running airflow servers (mostly because of some networking equipment that happens to put jquery on a similar path not because they coded it specifically for airflow). I'm not providing any information about a working exploit against airflow. I'm not even sure one exists because I didn't sit down and research how you used jquery to see if you're using the functionality that has issues.

Sure. I understand the reasons :). I just think in such cases it's better to be safe than sorry - I understand it's not secret, but just mentioning it publicly and mentioning CVE with clear information "it's not yet fixed" might be something dangerous. It's likely, not - in this case, and it is just strongly encouraged (not required) by the ASF policy menttioned. Not a big problem I think for now, but something to look out in the future.

@breser
Copy link
Member Author

breser commented Sep 3, 2020

See this comment on the PR I opened for past attempts to fix this:
#10684 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind:bug This is a clearly a bug
Projects
None yet
2 participants