[Pkg-javascript-devel] Question regarding jquery stable update

Roberto C. Sánchez roberto at debian.org
Fri Feb 26 17:10:22 GMT 2021 

Hello jQeury (and generally JS package) maintainers,

[note: please CC me, as I am not subscribed to the list]

I am part of the LTS team and at the request of a current LTS customer I
have looked into fixing CVE-2020-11022 and CVE-2020-11023 in jQuery.  In
particular, the customer wanted to know if it was possible to fix those
issues in stretch.  Naturally, if those issues are fixed in stretch we
would also like to see them fixed in buster so that a future stretch ->
buster upgrade does not reintroduce the vulnerabilities.  The issue is
not so much technical as far as implementing the fix goes, but rather
one of the consequences of making the change.

Currently, the two CVEs are marked "<no-dsa> (Minor issue)" in the
security tracker.  So, the security team position on these issues is
that they are not severe enough to warrant a DSA, which is why I am
seeking your opinion/position on whether you would support fixing these
issues via a stable update in the next point release.

All of that said, I have backported the patches for the two referenced
CVEs to the jquery version in stretch.  The packages are available here:

https://people.debian.org/~roberto/jquery/

The upstream patches applied cleanly in the portion which changed
program code.  The only areas which needed any manual tweaking were in
the unit tests, which are not executed by debian/rules (though I did
make an effort to correctly backport the changes to keep the unit test
suite in a consistent state).

Based on the release announcement [0] for the upstream jQuery version
that fixed the vulnerabilities (version 3.5.0), the fix potentially
breaks compatibility for existing code.  This breaking of compatibility
is the primary reason why I must ask you to provide an opinion or
position on whether an update of jquery in buster would be something you
would consider.  As an additional consideration, the upstream release
announcement describes workarounds for those who are unable to upgrade.

If fixing the vulnerabilities in buster is not something you would
consider, then we would also not proceed with fixing the vulnerabilities
in stretch.  If it is something you would consider, I could handle
preparing the buster update and coordinate with the stable release
managers for the upload.

So, the questions are:

- Would you support an update to jquery in buster to fix CVE-2020-11022
  and CVE-2020-11022?
- If yes, would you like for me to prepare the updated packages and
  coordinate with the SRMs for the upload to buster?

Please advise on how I should or should not proceed.

Regards,

-Roberto


[0] https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com

More information about the Pkg-javascript-devel mailing list