Re: Need some advice addressing "unfixable" publicly known vulnerabilities

Hanno Böck
 

Hi,

Unfortunately I don't have a really good answer for your problem, but I
thought it might be interesting that I looked into a very similar issue
lately, which is bundled jquery.

Plenty of applications bundle either jquery 1 or jquery 2, including
major applications like wordpress. They are unsupported, but jquery 3
introduces breaking changes and thus updates aren't easy, if you have a
vast plugin ecosystem like wordpress then it becomes almost impossible.

There are a couple of obscure CVEs in these versions that from my lay
understanding matter only in very specific circumstances. But they are
there and tools may flag them. I'm actually developing a security tool
myself that is somewhat affected by this (freewvs, optional -3
parameter [1]), where I don't really know how to handle this best.

An easy way out would be if jquery would provide security-only-updates
for their old branches, but they don't want to do that [2] and also it
seems one of the issues can't be fixed without breaking things.


[1] https://freewvs.schokokeks.org/
[2] https://github.com/jquery/jquery/issues/4559
--
Hanno Böck
https://hboeck.de/

Join CII-badges@lists.coreinfrastructure.org to automatically receive all group messages.