Upcoming Security Release: xblock-drag-and-drop-v2

On Monday November 28th, we’ll be releasing version 3.0.0 of the drag-and-drop-v2 xblock. This release will contain a High level security fix as determined using CVSS.

We’re working to figure out the exact time of the release and will post that as soon as we have it.

The update will be released on 2022-11-28T15:00:00Z (15:00 UTC).

I’m sure you know this already Feanil but I’ll mention it anyway: Nutmeg currently uses xblock-drag-and-drop-v2==v2.3.5, which is much older than the current v2.6.0, so if this security issue affects Nutmeg we’ll need to make sure that v3.0.0 is compatible with the named release. I have no idea whether v2.6.0 is compatible with Nutmeg.

@regis, the v3.0.0 release is compatible with Maple and all newer versions.

Thanks for the heads-up @feanil!

Will there be separate patches released for nutmeg and olive or are we going to have to have to bump the xblock all the way to 3.0.0 in nutmeg and olive branches as well?

@mtyaka We’ll have to bump the version to 3.0.0 in nutmeg and olive.

This security fix has been published: xblock-drag-and-drop-v2 · PyPI

The updated version of the XBlock has been merged to edx-platform in master, olive and nutmeg.

• feat!: update Drag and Drop v2 XBlock to prevent XSS vulnerabilities by feanil · Pull Request #31359 · openedx/edx-platform · GitHub
• feat!: update Drag and Drop v2 XBlock to prevent XSS vulnerabilities (Nutmeg backport) by Agrendalath · Pull Request #31354 · openedx/edx-platform · GitHub
• feat!: update Drag and Drop v2 XBlock to prevent XSS vulnerabilities (Olive backport) by Agrendalath · Pull Request #31353 · openedx/edx-platform · GitHub