You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2020/08/20 17:51:19 UTC

[GitHub] [airflow] breser opened a new issue #10429: jquery dependency needs to be updated to 3.5.0 or newer

breser opened a new issue #10429:
URL: https://github.com/apache/airflow/issues/10429


   Currently you're requring jquery 3.4.0 or newer, 3.5.0 has a vulnerability against it.
   
   [CVE-2020-11022](https://github.com/advisories/GHSA-gxr4-xjj5-5px2)
   
   Change is needed to these two lines:
   https://github.com/apache/airflow/blob/master/airflow/www/package.json#L70
   https://github.com/apache/airflow/blob/master/airflow/www/package.json#L48


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] ryanahamilton closed issue #10429: jquery dependency needs to be updated to 3.5.0 or newer

Posted by GitBox <gi...@apache.org>.

ryanahamilton closed issue #10429:
URL: https://github.com/apache/airflow/issues/10429


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] boring-cyborg[bot] commented on issue #10429: jquery dependency needs to be updated to 3.5.0 or newer

Posted by GitBox <gi...@apache.org>.

boring-cyborg[bot] commented on issue #10429:
URL: https://github.com/apache/airflow/issues/10429#issuecomment-677809307


   Thanks for opening your first issue here! Be sure to follow the issue template!
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] breser commented on issue #10429: jquery dependency needs to be updated to 3.5.0 or newer

Posted by GitBox <gi...@apache.org>.

breser commented on issue #10429:
URL: https://github.com/apache/airflow/issues/10429#issuecomment-685222293


   Pull request made.
   
   I did not email security@apache.org because I frankly don't consider this to be worth going through that process.  This vulnerability is not in any way "secret".  It's a vulnerability in a dependency, that Nessus is already alerting on against running airflow servers (mostly because of some networking equipment that happens to put jquery on a similar path not because they coded it specifically for airflow).  I'm not providing any information about a working exploit against airflow.  I'm not even sure one exists because I didn't sit down and research how you used jquery to see if you're using the functionality that has issues.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] breser commented on issue #10429: jquery dependency needs to be updated to 3.5.0 or newer

Posted by GitBox <gi...@apache.org>.

breser commented on issue #10429:
URL: https://github.com/apache/airflow/issues/10429#issuecomment-686820980


   See this comment on the PR I opened for past attempts to fix this:
   https://github.com/apache/airflow/pull/10684#issuecomment-686629969


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] potiuk commented on issue #10429: jquery dependency needs to be updated to 3.5.0 or newer

Posted by GitBox <gi...@apache.org>.

potiuk commented on issue #10429:
URL: https://github.com/apache/airflow/issues/10429#issuecomment-678763430


   Would you be so kind to make a PR with that? It shoudl be rather easy?
   
   BTW. When you open a new "security" issue from template, you should get information that the right way of raising security issues is through security@apache.org -> that's the `responsible disclosure` policy that is valid fora all Apache organisation. https://www.apache.org/security/
   
   Then such a vulnerability can be fixed before it gets disclosed.
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] potiuk commented on issue #10429: jquery dependency needs to be updated to 3.5.0 or newer

Posted by GitBox <gi...@apache.org>.

potiuk commented on issue #10429:
URL: https://github.com/apache/airflow/issues/10429#issuecomment-686478994


   > Pull request made.
   
   Thanks! I saw that the Astronomer's team will test it once they get the .lock file . Thanks for that :)
    
   > I did not email [security@apache.org](mailto:security@apache.org) because I frankly don't consider this to be worth going through that process. This vulnerability is not in any way "secret". It's a vulnerability in a dependency, that Nessus is already alerting on against running airflow servers (mostly because of some networking equipment that happens to put jquery on a similar path not because they coded it specifically for airflow). I'm not providing any information about a working exploit against airflow. I'm not even sure one exists because I didn't sit down and research how you used jquery to see if you're using the functionality that has issues.
   
   > Sure. I understand the reasons :). I just think in such cases it's better to be safe than sorry - I understand it's not secret, but just mentioning it publicly and mentioning CVE with clear information "it's not yet fixed" might be something dangerous. It's likely, not - in this case, and it is just strongly encouraged (not required) by the ASF policy menttioned. Not a big problem I think for now, but something to look out in the future.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org