we have found that graylog (at least version 2.4.3-1) is using jquery library version 2.1.4 which is marked as vulnerable by the most of security scanners. Also it looks like it will be no security updates provided anymore to the jquery libraries 1.x and 2.x. Are you going to update this library in your future releases?
Thank you very much for your reply. But as soon as I know this version is not yet available in the package repository (we are using Debian on our servers). Is there a way to backport it to the 2.4.x branch? Or is the approximate release date is available for Graylog 3.0.0?
I think I will be able to mark this finding as false positive in our PCI scan by including the bugfix/pull-request ID and mentioning fix in new graylog version. Of course I would appreciate custom version, but if new release is expected in next 3 months, then I think we can wait for it.