Followup: jQuery library update

frpet1 · 2018-04-05 12:24:20 UTC

Loaded script with known vulnerabilities: https://graylog/assets/vendor.552834c48b86209e305c.js

jquery 2.1.4 - Info: https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ http://research.insecurelabs.org/jquery/test/ https://bugs.jquery.com/ticket/11974 http://research.insecurelabs.org/jquery/test/
Loaded script with known vulnerabilities: https://graylog/assets/app.e32c01d85dfc6cc7c0cd.js
bootstrap 3.3.7 - Info: https://github.com/twbs/bootstrap/issues/20184

Source: https://github.com/retirejs/retire.js/

edmundo · 2018-04-05 13:43:26 UTC

Thank you for the links!

Regarding jQuery, we already updated the library used in Graylog 3.0: https://github.com/Graylog2/graylog2-server/pull/4507
Bootstrap’s issue is unfortunately not so easy to fix for us, as there is no Bootstrap 3.x release fixing that security issue. Bootstrap 4 is backwards incompatible and we currently rely on dependencies that require Bootstrap 3: https://github.com/Graylog2/graylog2-server/pull/4601 and https://github.com/Graylog2/graylog2-server/issues/4603

frpet1 · 2018-04-05 13:55:57 UTC

NP.

Anyway, Bootstrap 3 seems to be deprecated (no activity on that branch last 9 months), so you’ll have to bite the extra effort of adjusting the code to Bootstrap 4 anyway…

/P

system · 2018-04-19 14:05:36 UTC

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.