You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ant.apache.org by bu...@apache.org on 2022/06/24 15:03:00 UTC
[Bug 66144] New: The manual/api uses out of date jquery 3.3.1 which has security issues
https://bz.apache.org/bugzilla/show_bug.cgi?id=66144
Bug ID: 66144
Summary: The manual/api uses out of date jquery 3.3.1 which has
security issues
Product: Ant
Version: 1.10.12
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: Documentation
Assignee: notifications@ant.apache.org
Reporter: aheath@temenos.com
Target Milestone: ---
Identified issue in the jquery is CVE-2020-11023
Does the manual need to use jquery? If it does it should get updated.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 66144] The manual/api uses out of date jquery 3.3.1 which has security issues
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66144
--- Comment #2 from Peter De Maeyer <pe...@gmail.com> ---
This causes violations to be reported by Nexus IQ scans, which is annoying and
causes administrative overhead.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 66144] The manual/api uses out of date jquery 3.3.1 which has security issues
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66144
--- Comment #4 from Peter De Maeyer <pe...@gmail.com> ---
I glanced at the pre-release ZIP and I can confirm that the vulnerable
jquery-3.3.1 has been updated to a non-vulnerable jquery-3.5.1.
I noticed that 3.5.1 is not the latest though, the latest is 3.6.2, or even
4.0.0 even if you're willing to accept a major version bump, but 3.5.1 is
certainly good enough for now.
In order to really confirm that our build passes Nexus IQ I'll need an official
build downloadable from Maven Central, but I'm confident that it will be fixed
in apache-ant-1.10.13.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 66144] The manual/api uses out of date jquery 3.3.1 which has security issues
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66144
--- Comment #3 from Jaikiran Pai <ja...@apache.org> ---
Hello Alan, Peter,
Could one of you test the upcoming Ant 1.10.13 version which currently is in
voting phase https://lists.apache.org/thread/5ovftmd8cj7sdstckq8m5d7r0g2q8x2k.
I had a brief look at the generated javadoc and from what I can see this should
no longer be an issue in this upcoming release. It would be helpful if you
could try it out on some system where the scanning tool is running.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 66144] The manual/api uses out of date jquery 3.3.1 which has security issues
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66144
Jaikiran Pai <ja...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Target Milestone|--- |1.10.13
Resolution|--- |FIXED
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 66144] The manual/api uses out of date jquery 3.3.1 which has security issues
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66144
--- Comment #5 from Jaikiran Pai <ja...@apache.org> ---
Thank you Peter for that quick check. Once the voting completes, this new
release should be available soon.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 66144] The manual/api uses out of date jquery 3.3.1 which has security issues
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66144
Stefan Bodewig <bo...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
OS| |All
--- Comment #1 from Stefan Bodewig <bo...@apache.org> ---
I don't believe it is Ant itself that puts jquery into the api docs but the
javadoc tool of the JDK does. "Fixing" the manual probably means re-creating it
with a more recent JDK - if and only if the more recent JDK has actually
upgraded its jquery dependency, that is.
Looking at CVE-2020-11023 and grepping through the code a bit I don't believe
the code generated by the javadoc tool ever uses input from untrusted source at
all, so it may just be that the apidocs generated simply are not affected by
the vulnerabilty and thus no update is required. You may want to check that
yourself.
--
You are receiving this mail because:
You are the assignee for the bug.