action #106508
open[opensuse][desktop][qe-core] html5test.opensuse.org provides vulnerable jquery-1.7.2.min.js
0%
Description
Hi there,
I hope, I'm right with expecting the main 'users' of the html5test application here. If not, feel free to redirect me to the correct place.
jQuery < 1.9.0 is vulnerable to CVE-2012-6708, but html5test.opensuse.org provides
https://html5test.opensuse.org/scripts/jquery/jquery-1.7.2.min.js
As I could not find a reference in the main page pointing to this file, I would expect that you can simply delete it. But it is also possible to upgrade to a newer version (like jquery-1.9.1.min.js).
It also seems, that the page is not developed any longer (since 2018 - as mentioned here as well). Maybe it's time to check for another test page?
Our current production system works with https://github.com/openSUSE/HTML5test - any changes pushed there should end up in the production system two hours later.
Regards,
Lars
Acceptance Criteria¶
AC1: Remove jquery if it is not needed, or update it if it is needed. Currently when loading the page jquery is not loaded, so it looks like it coudl be removed.
AC2: Keep the page more or less working
Additional Suggestions¶
You may look if newer versions/forks is available, but removing the flawed jquery is priority.
Updated by okurz about 2 years ago
- Project changed from QA to openQA Tests
- Subject changed from html5test.opensuse.org provides vulnerable jquery-1.7.2.min.js to [qe-core] html5test.opensuse.org provides vulnerable jquery-1.7.2.min.js
- Category set to Infrastructure
- Assignee changed from okurz to tjyrinki_suse
Hi lrupp, I can forward to the right people. The current product owner for the area of "core openQA tests" as described on https://progress.opensuse.org/projects/qa/wiki/Core-and-yast is Timo Jyrinki, from the SUSE internal page https://confluence.suse.com/pages/viewpage.action?spaceKey=qasle&title=QE+squads+-+structure . Sorry that I can not provide a public reference here.
@tjyrinki_suse as noted sometimes, would it be possible to again have contact persons listed on a public ressource?
@tjyrinki_suse as the product owner for QE-Core html5test.opensuse.org likely falls in your domain. A fix might be as easy as deleting https://github.com/openSUSE/HTML5test/tree/version-9.0/scripts/jquery/ if the page still works as expected afterwards.
Updated by tjyrinki_suse about 2 years ago
- Subject changed from [qe-core] html5test.opensuse.org provides vulnerable jquery-1.7.2.min.js to [opensuse][desktop][qe-core] html5test.opensuse.org provides vulnerable jquery-1.7.2.min.js
- Description updated (diff)
- Status changed from New to Workable
- Assignee deleted (
tjyrinki_suse) - Priority changed from High to Normal
- Start date deleted (
2022-02-10)
"[qe-core]" tag is enough to reach us, I've updated the wiki page accordingly.
We only use the html5test site a little (opening it up), but it's still part of our tests at the moment too. It may be it will be only in Desktop team's tests at some point in future.
I added acceptance criteria.
Updated by dheidler about 2 years ago
Who has actually access to change this page?
Updated by okurz about 2 years ago
dheidler wrote:
Who has actually access to change this page?
V
lrupp wrote:
Our current production system works with https://github.com/openSUSE/HTML5test - any changes pushed there should end up in the production system two hours later.
Updated by slo-gin about 2 months ago
This ticket was set to Normal priority but was not updated within the SLO period. Please consider picking up this ticket or just set the ticket to the next lower priority.