[Pkg-javascript-devel] Question regarding jquery stable update

Yadd yadd at debian.org
Fri Mar 5 16:05:13 GMT 2021


Le 05/03/2021 à 15:17, Roberto C. Sánchez a écrit :
> On Fri, Mar 05, 2021 at 12:19:38PM +0100, Yadd wrote:
>> Le 05/03/2021 à 11:38, Roberto C. Sánchez a écrit :
>>> Xavier & Jonas,
>>>
>>> I sent the belwo query to pkg-javascript-devel at lists.alioth.org but
>>> never received a response.  Do you have any thoughts on this?
>>>
>>> Additionally, since it seems like making the fix too risky, I intent to
>>> update the security tracker on Monday with a note like: "fix is likely
>>> to break existing code; impact is too great".
>>>
>>> If I should wait on that, please let me know.
>>>
>>> Regards,
>>>
>>> -Roberto
>>>
>>> On Tue, Feb 23, 2021 at 07:17:59AM -0500, Roberto C. Sánchez wrote:
>>>> Hello jQeury (and generally JS package) maintainers,
>>>>
>>>> [note: please CC me, as I am not subscribed to the list]
>>>>
>>>> I am part of the LTS team and at the request of a current LTS customer I
>>>> have looked into fixing CVE-2020-11022 and CVE-2020-11023 in jQuery.  In
>>>> particular, the customer wanted to know if it was possible to fix those
>>>> issues in stretch.  Naturally, if those issues are fixed in stretch we
>>>> would also like to see them fixed in buster so that a future stretch ->
>>>> buster upgrade does not reintroduce the vulnerabilities.  The issue is
>>>> not so much technical as far as implementing the fix goes, but rather
>>>> one of the consequences of making the change.
>>>>
>>>> Currently, the two CVEs are marked "<no-dsa> (Minor issue)" in the
>>>> security tracker.  So, the security team position on these issues is
>>>> that they are not severe enough to warrant a DSA, which is why I am
>>>> seeking your opinion/position on whether you would support fixing these
>>>> issues via a stable update in the next point release.
>>>>
>>>> All of that said, I have backported the patches for the two referenced
>>>> CVEs to the jquery version in stretch.  The packages are available here:
>>>>
>>>> https://people.debian.org/~roberto/jquery/
>>>>
>>>> The upstream patches applied cleanly in the portion which changed
>>>> program code.  The only areas which needed any manual tweaking were in
>>>> the unit tests, which are not executed by debian/rules (though I did
>>>> make an effort to correctly backport the changes to keep the unit test
>>>> suite in a consistent state).
>>>>
>>>> Based on the release announcement [0] for the upstream jQuery version
>>>> that fixed the vulnerabilities (version 3.5.0), the fix potentially
>>>> breaks compatibility for existing code.  This breaking of compatibility
>>>> is the primary reason why I must ask you to provide an opinion or
>>>> position on whether an update of jquery in buster would be something you
>>>> would consider.  As an additional consideration, the upstream release
>>>> announcement describes workarounds for those who are unable to upgrade.
>>>>
>>>> If fixing the vulnerabilities in buster is not something you would
>>>> consider, then we would also not proceed with fixing the vulnerabilities
>>>> in stretch.  If it is something you would consider, I could handle
>>>> preparing the buster update and coordinate with the stable release
>>>> managers for the upload.
>>>>
>>>> So, the questions are:
>>>>
>>>> - Would you support an update to jquery in buster to fix CVE-2020-11022
>>>>   and CVE-2020-11022?
>>>> - If yes, would you like for me to prepare the updated packages and
>>>>   coordinate with the SRMs for the upload to buster?
>>>>
>>>> Please advise on how I should or should not proceed.
>>>>
>>>> Regards,
>>>>
>>>> -Roberto
>>
>> Hi,
>>
>> sorry for the delay, please go ahead ;-)
>>
> To be clear, you find the benefit of fixing the two CVEs, CVE-2020-11022
> and CVE-2020-11023*, to outweight the potential risks and you agree that
> I should coordinate with SRM for an update and buster (after which I
> would also update in stretch)?
> 
> Just making sure that I am not misunderstanding.
> 
> Regards,
> 
> -Roberto

Hi,

yes, I saw your patches and it seems not risky to upload them so I fully
agree with your proposition



More information about the Pkg-javascript-devel mailing list