[Pkg-javascript-devel] Question regarding jquery stable update

Fri Mar 5 14:17:08 GMT 2021

On Fri, Mar 05, 2021 at 12:19:38PM +0100, Yadd wrote:
> Le 05/03/2021 à 11:38, Roberto C. Sánchez a écrit :
> > Xavier & Jonas,
> > 
> > I sent the belwo query to pkg-javascript-devel at lists.alioth.org but
> > never received a response.  Do you have any thoughts on this?
> > 
> > Additionally, since it seems like making the fix too risky, I intent to
> > update the security tracker on Monday with a note like: "fix is likely
> > to break existing code; impact is too great".
> > 
> > If I should wait on that, please let me know.
> > 
> > Regards,
> > 
> > -Roberto
> > 
> > On Tue, Feb 23, 2021 at 07:17:59AM -0500, Roberto C. Sánchez wrote:
> >> Hello jQeury (and generally JS package) maintainers,
> >>
> >> [note: please CC me, as I am not subscribed to the list]
> >>
> >> I am part of the LTS team and at the request of a current LTS customer I
> >> have looked into fixing CVE-2020-11022 and CVE-2020-11023 in jQuery.  In
> >> particular, the customer wanted to know if it was possible to fix those
> >> issues in stretch.  Naturally, if those issues are fixed in stretch we
> >> would also like to see them fixed in buster so that a future stretch ->
> >> buster upgrade does not reintroduce the vulnerabilities.  The issue is
> >> not so much technical as far as implementing the fix goes, but rather
> >> one of the consequences of making the change.
> >>
> >> Currently, the two CVEs are marked "<no-dsa> (Minor issue)" in the
> >> security tracker.  So, the security team position on these issues is
> >> that they are not severe enough to warrant a DSA, which is why I am
> >> seeking your opinion/position on whether you would support fixing these
> >> issues via a stable update in the next point release.
> >>
> >> All of that said, I have backported the patches for the two referenced
> >> CVEs to the jquery version in stretch.  The packages are available here:
> >>
> >> https://people.debian.org/~roberto/jquery/
> >>
> >> The upstream patches applied cleanly in the portion which changed
> >> program code.  The only areas which needed any manual tweaking were in
> >> the unit tests, which are not executed by debian/rules (though I did
> >> make an effort to correctly backport the changes to keep the unit test
> >> suite in a consistent state).
> >>
> >> Based on the release announcement [0] for the upstream jQuery version
> >> that fixed the vulnerabilities (version 3.5.0), the fix potentially
> >> breaks compatibility for existing code.  This breaking of compatibility
> >> is the primary reason why I must ask you to provide an opinion or
> >> position on whether an update of jquery in buster would be something you
> >> would consider.  As an additional consideration, the upstream release
> >> announcement describes workarounds for those who are unable to upgrade.
> >>
> >> If fixing the vulnerabilities in buster is not something you would
> >> consider, then we would also not proceed with fixing the vulnerabilities
> >> in stretch.  If it is something you would consider, I could handle
> >> preparing the buster update and coordinate with the stable release
> >> managers for the upload.
> >>
> >> So, the questions are:
> >>
> >> - Would you support an update to jquery in buster to fix CVE-2020-11022
> >>   and CVE-2020-11022?
> >> - If yes, would you like for me to prepare the updated packages and
> >>   coordinate with the SRMs for the upload to buster?
> >>
> >> Please advise on how I should or should not proceed.
> >>
> >> Regards,
> >>
> >> -Roberto
> 
> Hi,
> 
> sorry for the delay, please go ahead ;-)
> 
To be clear, you find the benefit of fixing the two CVEs, CVE-2020-11022
and CVE-2020-11023*, to outweight the potential risks and you agree that
I should coordinate with SRM for an update and buster (after which I
would also update in stretch)?

Just making sure that I am not misunderstanding.

Regards,

-Roberto

* I just noticed that my original message specified CVE-2020-11022 twice
  by mistake.

-- 
Roberto C. Sánchez