[
https://issues.apache.org/jira/browse/OFBIZ-13339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18073193#comment-18073193
]
ASF subversion and git services commented on OFBIZ-13339:
---------------------------------------------------------
Commit 244da72bbdca032e673b0abc71a7849eefcef21a in ofbiz-plugins's branch
refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-plugins.git;h=244da72bb ]
Fixed: jsgantt-improved bloks qs.js update (OFBIZ-13339)
We recently completely removed the Gant feature in project application because
it had multiple serious security issues, and we thought that it was not
maintained.
Finally with https://github.com/jsGanttImproved/jsgantt-improved/issues/384
The jsgantt-improved project should be safe again. At least, according to the
author of the fix, npm does not find any issue and I can confirm that:
audited 18 packages in 0.422s
found 0 vulnerabilities
But I'm still unsure because the security issues were reported to us by
Dependabot and not npm. And before npm did not alert us, maybe because it only
verifies packages in framework and application (not sure about that, I'll dig
it)
Note also that both npm and Dependabot are both GH's creations
We will see if Dependabot does not report security issues, else a revert of this
commit will be necessary again.
If it's OK a backport to 24.09 will be done.
Thanks: Mario Mol and Claude Code
> jsgantt-improved bloks qs.js update
> -----------------------------------
>
> Key: OFBIZ-13339
> URL: https://issues.apache.org/jira/browse/OFBIZ-13339
> Project: OFBiz
> Issue Type: Sub-task
> Components: projectmgr
> Affects Versions: 24.09.05
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: 24.09.06
>
>
> That's a problem because current qs.js version used by OFBiz is vulnerable to
> DDOS attack. jsgantt-improved had not been updated for 3 years at least.
> This was reported by [Dependabot|https://github.com/dependabot] at
> [https://github.com/apache/ofbiz-plugins/network/updates/1194761905]
> I copy it here because it will possibly be lost and I'm not sure everybody
> has access.
> {quote}Dependabot cannot update qs to a non-vulnerable version
> The latest possible version that can be installed is 6.5.3 because of the
> following conflicting dependencies:
> [email protected] requires qs@~6.5.2 via a transitive dependency on
> [email protected]
> No patched version available for qs
> The earliest fixed version is 6.14.1.
> {quote}
>
> Dependabot offers a hand made solution:
> [https://github.com/advisories/GHSA-6rw7-vpxm-498p]
> The security team agreed about disabling jsgantt-improved. With information
> for OFBiz users to allow them to enable it, if they are safe about related
> DDOS attacks, e.g. totally secured Internet access, or preferably no access
> at all (it's DDOS) !
> I have created an issue for jsgantt-improved team at
> [https://github.com/jsGanttImproved/jsgantt-improved/issues/384]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
