request #18413 Update to DOMPurify 2.2.3

Artifact

Infos

Artifact ID#18413

Submitted byThomas Gerbet (tgerbet)

Last Modified On2020-12-08 11:13

Submitted on2020-12-07 14:45

Rank19960

Details

Summary *

Update to DOMPurify 2.2.3

Original Submission

A security issue has been identified: https://github.com/cure53/DOMPurify/releases/tag/2.2.3

CategoryDependencies

Reported in versionAll

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toThomas Gerbet (tgerbet)

StatusClosed

Close date2020-12-08

Attachments

Connected artifacts

Artifact links

Releases

Fixed in

	Artifact ID	Project	Tracker	Summary	Status	Last Update Date	Submitted By	Assigned to
	rel #16653	Tuleap	Releases	12.3	Delivered	2020-12-10 09:59	Manuel Vacelet (vaceletm)

Reverse artifact links

Empty

AttachmentsEmpty

References

Cross references

Referencing request #18413

Git commit

tuleap/tuleap/stable

Merge commit 'refs/changes/97/20997/1' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD 2f85ba2529

Nicolas Terray (nterray) , 2020-12-07 19:10

request #18413: Update to DOMPurify 2.2.3 0d80a90c3c

Thomas Gerbet (tgerbet) , 2020-12-07 16:11

request #18413: Update to DOMPurify 2.2.3 86c7a3ef1d

Thomas Gerbet (tgerbet) , 2020-12-07 16:42

request #18413: Update to DOMPurify 2.2.3 5ec07662f5

Thomas Gerbet (tgerbet) , 2020-12-07 16:15

Show items referenced by request #18413

Referenced by request #18413

Artifact Tracker v5

rel #16653 12.3

Other

Follow-ups

Thomas Gerbet (tgerbet)

2020-12-08 11:13

Closing.

There is still one vulnerable DOMPurify instance in the API Explorer plugin but for the vulnerability that was reported and in this context, there is no risk.
A PR has been opened upstream to allow the upgrade anyway: https://github.com/swagger-api/swagger-ui/pull/6679

Status changed from Under review to Closed
Close date set to 2020-12-08

Nicolas Terray (nterray)

2020-12-07 19:17

gerrit #20997 integrated into Tuleap 12.2.99.182
gerrit #20998 and gerrit #21000 integrated into their respective repositories.

Connected artifacts
- Added Fixed in: rel #16653

Thomas Gerbet (tgerbet)

2020-12-07 16:21

Under review: gerrit #20997, gerrit #20998 and #21000.

Status changed from Under implementation to Under review