[Pkg-javascript-devel] Question regarding jquery stable update

Fri Mar 5 16:09:52 GMT 2021

On Fri, Mar 05, 2021 at 05:05:13PM +0100, Yadd wrote:
> Le 05/03/2021 à 15:17, Roberto C. Sánchez a écrit :
> > On Fri, Mar 05, 2021 at 12:19:38PM +0100, Yadd wrote:
> >> Le 05/03/2021 à 11:38, Roberto C. Sánchez a écrit :
> >>> Xavier & Jonas,
> >>>
> >>> I sent the belwo query to pkg-javascript-devel at lists.alioth.org but
> >>> never received a response.  Do you have any thoughts on this?
> >>>
> >>> Additionally, since it seems like making the fix too risky, I intent to
> >>> update the security tracker on Monday with a note like: "fix is likely
> >>> to break existing code; impact is too great".
> >>>
> >>> If I should wait on that, please let me know.
> >>>
> >>> Regards,
> >>>
> >>> -Roberto
> >>>
> >>> On Tue, Feb 23, 2021 at 07:17:59AM -0500, Roberto C. Sánchez wrote:
> >>>> Hello jQeury (and generally JS package) maintainers,
> >>>>
> >>>> [note: please CC me, as I am not subscribed to the list]
> >>>>
> >>>> I am part of the LTS team and at the request of a current LTS customer I
> >>>> have looked into fixing CVE-2020-11022 and CVE-2020-11023 in jQuery.  In
> >>>> particular, the customer wanted to know if it was possible to fix those
> >>>> issues in stretch.  Naturally, if those issues are fixed in stretch we
> >>>> would also like to see them fixed in buster so that a future stretch ->
> >>>> buster upgrade does not reintroduce the vulnerabilities.  The issue is
> >>>> not so much technical as far as implementing the fix goes, but rather
> >>>> one of the consequences of making the change.
> >>>>
> >>>> Currently, the two CVEs are marked "<no-dsa> (Minor issue)" in the
> >>>> security tracker.  So, the security team position on these issues is
> >>>> that they are not severe enough to warrant a DSA, which is why I am
> >>>> seeking your opinion/position on whether you would support fixing these
> >>>> issues via a stable update in the next point release.
> >>>>
> >>>> All of that said, I have backported the patches for the two referenced
> >>>> CVEs to the jquery version in stretch.  The packages are available here:
> >>>>
> >>>> https://people.debian.org/~roberto/jquery/
> >>>>
> >>>> The upstream patches applied cleanly in the portion which changed
> >>>> program code.  The only areas which needed any manual tweaking were in
> >>>> the unit tests, which are not executed by debian/rules (though I did
> >>>> make an effort to correctly backport the changes to keep the unit test
> >>>> suite in a consistent state).
> >>>>
> >>>> Based on the release announcement [0] for the upstream jQuery version
> >>>> that fixed the vulnerabilities (version 3.5.0), the fix potentially
> >>>> breaks compatibility for existing code.  This breaking of compatibility
> >>>> is the primary reason why I must ask you to provide an opinion or
> >>>> position on whether an update of jquery in buster would be something you
> >>>> would consider.  As an additional consideration, the upstream release
> >>>> announcement describes workarounds for those who are unable to upgrade.
> >>>>
> >>>> If fixing the vulnerabilities in buster is not something you would
> >>>> consider, then we would also not proceed with fixing the vulnerabilities
> >>>> in stretch.  If it is something you would consider, I could handle
> >>>> preparing the buster update and coordinate with the stable release
> >>>> managers for the upload.
> >>>>
> >>>> So, the questions are:
> >>>>
> >>>> - Would you support an update to jquery in buster to fix CVE-2020-11022
> >>>>   and CVE-2020-11022?
> >>>> - If yes, would you like for me to prepare the updated packages and
> >>>>   coordinate with the SRMs for the upload to buster?
> >>>>
> >>>> Please advise on how I should or should not proceed.
> >>>>
> >>>> Regards,
> >>>>
> >>>> -Roberto
> >>
> >> Hi,
> >>
> >> sorry for the delay, please go ahead ;-)
> >>
> > To be clear, you find the benefit of fixing the two CVEs, CVE-2020-11022
> > and CVE-2020-11023*, to outweight the potential risks and you agree that
> > I should coordinate with SRM for an update and buster (after which I
> > would also update in stretch)?
> > 
> > Just making sure that I am not misunderstanding.
> > 
> > Regards,
> > 
> > -Roberto
> 
> Hi,
> 
> yes, I saw your patches and it seems not risky to upload them so I fully
> agree with your proposition

Thanks for confirming!

Regards,

-Roberto

-- 
Roberto C. Sánchez