Bug 996014

Summary: VUL-0: CVE-2016-7103: rubygem-jquery-ui-rails: cross-site scripting in dialog closeText
Product: [openSUSE] openSUSE Distribution Reporter: Alexander Bergmann <abergmann>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, astieger, smash_bz
Version: Leap 42.2   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/172205/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2016-08-29 12:02:47 UTC 
+++ This bug was initially created as a clone of Bug #996004 +++

The bundled jquery-ui version in rubygem-jquery-ui-rails is also affected by this issue.

rh#1360286

It was found that jQuery-UI, a library for manipulating UI elements via jQuery, has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If an application passes user input to this parameter, it may be vulnerable to XSS.

Upstream patch:
https://github.com/jquery/jquery-ui/pull/1622

External References:
https://nodesecurity.io/advisories/127

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1360286
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7103
Comment 1 Alexander Bergmann 2016-08-29 12:07:27 UTC 
Coolo, there was no direct bugowner in OBS. I'm assigning this to you based on entries inside the changes file.
Comment 2 Swamp Workflow Management 2016-08-29 22:00:41 UTC 
bugbot adjusting priority
Comment 3 Stephan Kulow 2016-08-31 09:50:04 UTC 
Sorry, but I have a script running that updates all the gems. That does not mean, I'm doing maintenance for any of them
Comment 4 Andreas Stieger 2017-05-22 19:56:33 UTC 
Why is the package in the distribution then?

https://build.opensuse.org/request/show/497380
Comment 5 Andreas Stieger 2017-08-03 12:20:54 UTC 
CVE-2016-7103 is fixed in jquery-ui 1.12.0.
https://nodesecurity.io/advisories/127

jquery-ui-rails 6.0.1 bundles 1.12.1 (since 6.0.0)
https://github.com/jquery-ui-rails/jquery-ui-rails/blob/master/History.md

Leap has 6.0.1
Comment 6 Andreas Stieger 2017-08-03 13:03:59 UTC 
(In reply to Andreas Stieger from comment #5)
> Leap has 6.0.1

..was updated to 6.0.1
https://lists.opensuse.org/opensuse-updates/2017-05/msg00108.html