[ 
https://issues.apache.org/jira/browse/HBASE-28832?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Nihal Jain updated HBASE-28832:
-------------------------------
    Description: 
Bootstrap 3.4.1 was released in 13 Feb, 2019 and there has been no new 3.x 
release since then. This version of bootstrap has multiple medium CVEs reported 
recently. 
See [https://security.snyk.io/package/npm/bootstrap/3.4.1] for details.

CVE List:
 * [https://www.cve.org/CVERecord?id=CVE-2024-6484]
 * [https://www.cve.org/CVERecord?id=CVE-2024-6485]

Related Github Issue/Advisory:
 * [https://github.com/twbs/bootstrap/issues/40692]

Based on synk.io the only non-vulnerable version seems to be in 5.x line.
Upgrading from 3.x to 4.x itself would be substantial work. So may be we would 
have to move step by step i.e. migrate from 3.x to 4.x and then 4.x to 5.x.

This JIRA is to capture all sub-task needed to achieve same.

  was:
Bootstrap 3.4.1 was released in 13 Feb, 2019 and there has been no new 3.x 
release since then. This version of bootstrap has multiple medium CVEs reported 
recently. 
See https://security.snyk.io/package/npm/bootstrap/3.4.1 for details.

CVE List:
* https://www.cve.org/CVERecord?id=CVE-2024-6484
* https://www.cve.org/CVERecord?id=CVE-2024-6485

Based on synk.io the only non-vulnerable version seems to be in 5.x line.
Upgrading from 3.x to 4.x itself would be substantial work. So may be we would 
have to move step by step i.e. migrate from 3.x to 4.x and then 4.x to 5.x. 

This JIRA is to capture all sub-task needed to achieve same.


> Upgrade from bootstrap 3.4.1 to {a_non_vulnerable_version}
> ----------------------------------------------------------
>
>                 Key: HBASE-28832
>                 URL: https://issues.apache.org/jira/browse/HBASE-28832
>             Project: HBase
>          Issue Type: Improvement
>          Components: security, UI
>            Reporter: Nihal Jain
>            Assignee: Nihal Jain
>            Priority: Major
>
> Bootstrap 3.4.1 was released in 13 Feb, 2019 and there has been no new 3.x 
> release since then. This version of bootstrap has multiple medium CVEs 
> reported recently. 
> See [https://security.snyk.io/package/npm/bootstrap/3.4.1] for details.
> CVE List:
>  * [https://www.cve.org/CVERecord?id=CVE-2024-6484]
>  * [https://www.cve.org/CVERecord?id=CVE-2024-6485]
> Related Github Issue/Advisory:
>  * [https://github.com/twbs/bootstrap/issues/40692]
> Based on synk.io the only non-vulnerable version seems to be in 5.x line.
> Upgrading from 3.x to 4.x itself would be substantial work. So may be we 
> would have to move step by step i.e. migrate from 3.x to 4.x and then 4.x to 
> 5.x.
> This JIRA is to capture all sub-task needed to achieve same.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to