[Pkg-javascript-devel] Question regarding jquery stable update

Yadd yadd at debian.org
Fri Mar 5 11:19:38 GMT 2021 

Le 05/03/2021 à 11:38, Roberto C. Sánchez a écrit :
> Xavier & Jonas,
> 
> I sent the belwo query to pkg-javascript-devel at lists.alioth.org but
> never received a response.  Do you have any thoughts on this?
> 
> Additionally, since it seems like making the fix too risky, I intent to
> update the security tracker on Monday with a note like: "fix is likely
> to break existing code; impact is too great".
> 
> If I should wait on that, please let me know.
> 
> Regards,
> 
> -Roberto
> 
> On Tue, Feb 23, 2021 at 07:17:59AM -0500, Roberto C. Sánchez wrote:
>> Hello jQeury (and generally JS package) maintainers,
>>
>> [note: please CC me, as I am not subscribed to the list]
>>
>> I am part of the LTS team and at the request of a current LTS customer I
>> have looked into fixing CVE-2020-11022 and CVE-2020-11023 in jQuery.  In
>> particular, the customer wanted to know if it was possible to fix those
>> issues in stretch.  Naturally, if those issues are fixed in stretch we
>> would also like to see them fixed in buster so that a future stretch ->
>> buster upgrade does not reintroduce the vulnerabilities.  The issue is
>> not so much technical as far as implementing the fix goes, but rather
>> one of the consequences of making the change.
>>
>> Currently, the two CVEs are marked "<no-dsa> (Minor issue)" in the
>> security tracker.  So, the security team position on these issues is
>> that they are not severe enough to warrant a DSA, which is why I am
>> seeking your opinion/position on whether you would support fixing these
>> issues via a stable update in the next point release.
>>
>> All of that said, I have backported the patches for the two referenced
>> CVEs to the jquery version in stretch.  The packages are available here:
>>
>> https://people.debian.org/~roberto/jquery/
>>
>> The upstream patches applied cleanly in the portion which changed
>> program code.  The only areas which needed any manual tweaking were in
>> the unit tests, which are not executed by debian/rules (though I did
>> make an effort to correctly backport the changes to keep the unit test
>> suite in a consistent state).
>>
>> Based on the release announcement [0] for the upstream jQuery version
>> that fixed the vulnerabilities (version 3.5.0), the fix potentially
>> breaks compatibility for existing code.  This breaking of compatibility
>> is the primary reason why I must ask you to provide an opinion or
>> position on whether an update of jquery in buster would be something you
>> would consider.  As an additional consideration, the upstream release
>> announcement describes workarounds for those who are unable to upgrade.
>>
>> If fixing the vulnerabilities in buster is not something you would
>> consider, then we would also not proceed with fixing the vulnerabilities
>> in stretch.  If it is something you would consider, I could handle
>> preparing the buster update and coordinate with the stable release
>> managers for the upload.
>>
>> So, the questions are:
>>
>> - Would you support an update to jquery in buster to fix CVE-2020-11022
>>   and CVE-2020-11022?
>> - If yes, would you like for me to prepare the updated packages and
>>   coordinate with the SRMs for the upload to buster?
>>
>> Please advise on how I should or should not proceed.
>>
>> Regards,
>>
>> -Roberto

Hi,

sorry for the delay, please go ahead ;-)

Cheers,
Xavier

More information about the Pkg-javascript-devel mailing list