Bugzilla – Bug 996014
VUL-0: CVE-2016-7103: rubygem-jquery-ui-rails: cross-site scripting in dialog closeText
Last modified: 2017-08-03 13:03:59 UTC
+++ This bug was initially created as a clone of Bug #996004 +++ The bundled jquery-ui version in rubygem-jquery-ui-rails is also affected by this issue. rh#1360286 It was found that jQuery-UI, a library for manipulating UI elements via jQuery, has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If an application passes user input to this parameter, it may be vulnerable to XSS. Upstream patch: https://github.com/jquery/jquery-ui/pull/1622 External References: https://nodesecurity.io/advisories/127 References: https://bugzilla.redhat.com/show_bug.cgi?id=1360286 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7103
Coolo, there was no direct bugowner in OBS. I'm assigning this to you based on entries inside the changes file.
bugbot adjusting priority
Sorry, but I have a script running that updates all the gems. That does not mean, I'm doing maintenance for any of them
Why is the package in the distribution then? https://build.opensuse.org/request/show/497380
CVE-2016-7103 is fixed in jquery-ui 1.12.0. https://nodesecurity.io/advisories/127 jquery-ui-rails 6.0.1 bundles 1.12.1 (since 6.0.0) https://github.com/jquery-ui-rails/jquery-ui-rails/blob/master/History.md Leap has 6.0.1
(In reply to Andreas Stieger from comment #5) > Leap has 6.0.1 ..was updated to 6.0.1 https://lists.opensuse.org/opensuse-updates/2017-05/msg00108.html