Security patch for xsslint fixes

Hello all,

We just released a change (patches are attached to this email) for security vulnerabilities. See the attachments for a patch for the current release and for open-release/juniper.master.

Affected repo: edx-platform
Branches: open-release/juniper.master

Without this patch, it is possible that a lot of files might be vulnerable to cross-site scripting (XSS).

This security patch uses code that escapes these vulnerabilities and fixes the xsslint issues for these files.

We advise you to patch your instances as soon as possible. We have merged the fix to our public repo.

If you have any questions, feel free to reach out to me.

Thanks,

Ali Akbar
edX Sustaining Mavericks

my_change.patch (46.0 KB)

@Ali_Akbar,
Thanks for this announcement. The patch has not been merged to open-release/juniper.master. Can you please give us a git commit sha1 that we can use to patch our platforms?

EDIT: AFAIU this patch has not been merged to the master branch, either. In the future, I think it’s important to modify the security patch process to make sure that both the current release branch and the master branch include the security patch BEFORE the vulnerability is disclosed.

Hello @regis
Thanks for your response. I made a separate PR about it that only contains the related commits here: https://github.com/edx/edx-platform-private/pull/180

Also, I made a post at the web portal for the patches to be applied on the respective release.

@Ali_Akbar Please be aware that neither of those two links are accessible for non-edX employees.

I assume this is the pull request that includes the security fixes? https://github.com/edx/edx-platform/pull/24246
This PR includes 17 commits, which makes it quite difficult to cherry-pick on an existing platform that would be based on open-release/juniper.1 (the latest stable release tag). When this gets merged in open-release/juniper.master (hopefully very soon) we are going to need an open-release/juniper.2 tag.
cc @nedbat

I’m sorry to complicate the matters here. A new step has been added to the security fix procedure now and I’ve made a PR towards juniper.master containing the changes for the fixes here

1 Like