On Tuesday, January 24, we’ll be releasing version 7.2.2 of xblock-lti-consumer. This release will contain a Low level security fix as determined using CVSS.
Note for maintainers: The package name is lti-consumer-xblock, which differs from the repo name.
As far as the master/main branches of the edx and openedx orgs are concerned, I only see it as a direct dependency in edx/edx-exams and openedx/edx-platform.
I’m seeing this topic just now. The version of the xblock that ships with Olive is 4.5.0. Is version 4.5.0 affected by the vulnerability? If yes, can we safely upgrade to 7.2.2? In my understanding there are at least three breaking changes between 4.5.0 and 7.2.2, so it seems unlikely that we can upgrade without any problem in Olive.
@regis All versions that have LTI 1.3 Assignments and Grades Services (LTI-AGS) are affected (I think it was implemented around version 2.x).
Cherry-picking this commit or creating a new one with just the changes starting on this line fixes the issue.
Cherry-picking a commit in a 3rd-party dependency of edx-platform is really not convenient – not just in Tutor but everywhere. Can you please make a 4.5.1 release with the patch? If not then we will have to fork the dependency and I would really like to avoid doing that. It’s crucial that we make security releases for the current supported Open edX release, and that’s Olive.