[#28948] - [3.x] Backport jQuery 3.5 security fixes
- Fixed in Code Base
- 25 May 2020
- Medium
- Build: staging
- # 28948
- Diff
- SniperSister:jquery35backports
- Pending Hound Hound is busy sniffing around... Details
User tests: Successful: Unsuccessful:
The recently released JQuery 3.5.x has fixed two XSS issues. As we can't upgrade to a newer jQuery version in 3.x for BC reasons, the security team suggest to manually patch our jQuery.
As this change might have unexpected b/c implications and the vulnerability already is public and well documented, I'm opening this ticket on the public tracker.
Summary of Changes
Backported jQuery 3.5 security fixes.
Testing Instructions
Apply patch, browse various parts of the site and make sure that no JS errors show up in the browser console.
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | JavaScript |
| Title |
|
||||||
I assume backporting the associated jQuery Migrate fix is beyond us? Because if so we need to really scream about this in the release notes and ideally on social media to extension devs too
If I understand the JQuery notes correctly, the backport of the compatibility layer re-introduces the issue.
I have just navigated the backend with latest Chrome, Edge and IE11 and also the emulated IE9. Is there anything special we should test here? Do we even use that function patched in core?
Do we even use that function patched in core?
That function is used everywhere because it's part of the DOM manipulation library
| Labels |
Added:
?
|
||
I have tested this item
As mention in the Testing Instructions i have applied the patch, navigated the backend and have not noticed any error message form the browser console. Thanks @SniperSister
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28948.
I have tested this item
Just tested it using Chrome.
I did not see any difference front-end/back-end in browser console.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28948.
| Status | Pending | ⇒ | Ready to Commit |
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28948.
Awesome job thanks
| Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2020-05-25 08:09:56 |
| Closed_By | ⇒ | HLeithner | |
| Labels |
Added:
?
|
||
Is it normal to still have old version of jQuery after 3.9.19 update ?
Thank's
Bonjour,
En anglais SVP. Messages should be written in english.
Is it normal to still have old version of jQuery after 3.9.19 update ?
The answer is Yes. If you take a look at the header of media/jui/js/jquery.js file, you'll find a comment talking about CVE-2020-11022 which is "the patch".
Jquery version is now v1.12.4-joomla.
@pmleconte
thank you very much for your answer.
There's a potential breaking change in the handling of self-closing tags, see:
https://jquery.com/upgrade-guide/3.5/