You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@felix.apache.org by "Christanto (JIRA)" <ji...@apache.org> on 2018/08/06 14:19:00 UTC
[jira] [Comment Edited] (FELIX-5893) Security bug CVE-2015-9251
[ https://issues.apache.org/jira/browse/FELIX-5893?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16570257#comment-16570257 ]
Christanto edited comment on FELIX-5893 at 8/6/18 2:18 PM:
-----------------------------------------------------------
The attached FELIX-5893.diff will update jquery to version 3. Since version 3 is not fully compatible with 1.x, we have to use jquery-migrate.
I tested manually and it seems to be working nicely.
Also note that jquery-ui is not upgraded. There were styling glitches when I tried that.
was (Author: christanto):
The attached FELIX-5893.diff will update jquery to version 3. Since version 3 is not fully compatible with 1.x, we have to use jquery-migrate.
I tested manually and it seems to be working nicely.
> Security bug CVE-2015-9251
> --------------------------
>
> Key: FELIX-5893
> URL: https://issues.apache.org/jira/browse/FELIX-5893
> Project: Felix
> Issue Type: Bug
> Components: Console
> Affects Versions: webconsole-4.3.4
> Reporter: Varun Ganesh
> Priority: Major
> Attachments: FELIX-5893.diff
>
>
> Hi Experts,
> In our product we are using Sling version 6 in one of our release.(Working on Migration to Sling 10 for next versions)
> Recently we came across a security bug CVE-2015-9251.
> (CVE-2015-9251 is a vulnerability to allow an attacker to execute arbitrary code when text/javascript responses are received from cross-origin ajax requests not containing the option `dataType`. Its CVSS score is 6.1 in NVD.).
>
> To fix this an up-gradation of jQuery to versions greater than 3.0.0 is required.
>
> In our product we are using felix web console dependency which contains jQuery of version 1.3.2.js.
>
> As part of the fix for the security bug we need to upgrade the jQuery in the jar that are mentioned above.
> For that we checked the latest versions for the above mentioned jars and identified that the jQuery versions are not above v3.0.0.
> So could you please help us in upgrading them as soon as possible.
>
> Thanks,
> Varun.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)