You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@ant.apache.org by bu...@apache.org on 2022/06/24 15:03:00 UTC

[Bug 66144] New: The manual/api uses out of date jquery 3.3.1 which has security issues

https://bz.apache.org/bugzilla/show_bug.cgi?id=66144

            Bug ID: 66144
           Summary: The manual/api uses out of date jquery 3.3.1 which has
                    security issues
           Product: Ant
           Version: 1.10.12
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Documentation
          Assignee: notifications@ant.apache.org
          Reporter: aheath@temenos.com
  Target Milestone: ---

Identified issue in the jquery is CVE-2020-11023

Does the manual need to use jquery? If it does it should get updated.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 66144] The manual/api uses out of date jquery 3.3.1 which has security issues

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=66144

--- Comment #2 from Peter De Maeyer <pe...@gmail.com> ---
This causes violations to be reported by Nexus IQ scans, which is annoying and
causes administrative overhead.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 66144] The manual/api uses out of date jquery 3.3.1 which has security issues

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=66144

--- Comment #4 from Peter De Maeyer <pe...@gmail.com> ---
I glanced at the pre-release ZIP and I can confirm that the vulnerable
jquery-3.3.1 has been updated to a non-vulnerable jquery-3.5.1.

I noticed that 3.5.1 is not the latest though, the latest is 3.6.2, or even
4.0.0 even if you're willing to accept a major version bump, but 3.5.1 is
certainly good enough for now.

In order to really confirm that our build passes Nexus IQ I'll need an official
build downloadable from Maven Central, but I'm confident that it will be fixed
in apache-ant-1.10.13.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 66144] The manual/api uses out of date jquery 3.3.1 which has security issues

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=66144

--- Comment #3 from Jaikiran Pai <ja...@apache.org> ---
Hello Alan, Peter,

Could one of you test the upcoming Ant 1.10.13 version which currently is in
voting phase https://lists.apache.org/thread/5ovftmd8cj7sdstckq8m5d7r0g2q8x2k.
I had a brief look at the generated javadoc and from what I can see this should
no longer be an issue in this upcoming release. It would be helpful if you
could try it out on some system where the scanning tool is running.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 66144] The manual/api uses out of date jquery 3.3.1 which has security issues

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=66144

Jaikiran Pai <ja...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
   Target Milestone|---                         |1.10.13
         Resolution|---                         |FIXED

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 66144] The manual/api uses out of date jquery 3.3.1 which has security issues

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=66144

--- Comment #5 from Jaikiran Pai <ja...@apache.org> ---
Thank you Peter for that quick check. Once the voting completes, this new
release should be available soon.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 66144] The manual/api uses out of date jquery 3.3.1 which has security issues

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=66144

Stefan Bodewig <bo...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 OS|                            |All

--- Comment #1 from Stefan Bodewig <bo...@apache.org> ---
I don't believe it is Ant itself that puts jquery into the api docs but the
javadoc tool of the JDK does. "Fixing" the manual probably means re-creating it
with a more recent JDK - if and only if the more recent JDK has actually
upgraded its jquery dependency, that is.

Looking at CVE-2020-11023 and grepping through the code a bit I don't believe
the code generated by the javadoc tool ever uses input from untrusted source at
all, so it may just be that the apidocs generated simply are not affected by
the vulnerabilty and thus no update is required. You may want to check that
yourself.

-- 
You are receiving this mail because:
You are the assignee for the bug.