Hello,
we have found that graylog (at least version 2.4.3-1) is using jquery library version 2.1.4 which is marked as vulnerable by the most of security scanners. Also it looks like it will be no security updates provided anymore to the jquery libraries 1.x and 2.x. Are you going to update this library in your future releases?
Looking forward for your reply.
Dimitri
jQuery has already been updated in the master branch (i. e. Graylog 3.0.0):
https://github.com/Graylog2/graylog2-server/pull/4507
Thank you very much for your reply. But as soon as I know this version is not yet available in the package repository (we are using Debian on our servers). Is there a way to backport it to the 2.4.x branch? Or is the approximate release date is available for Graylog 3.0.0?
There won’t be another Graylog 2.4.x release unless there’s a serious security issue (which the jQuery thing is not).
You could probably build a custom version of Graylog 2.4.x if you really need this change.
I think I will be able to mark this finding as false positive in our PCI scan by including the bugfix/pull-request ID and mentioning fix in new graylog version. Of course I would appreciate custom version, but if new release is expected in next 3 months, then I think we can wait for it.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
