I’m seeing this topic just now. The version of the xblock that ships with Olive is 4.5.0. Is version 4.5.0 affected by the vulnerability? If yes, can we safely upgrade to 7.2.2? In my understanding there are at least three breaking changes between 4.5.0 and 7.2.2, so it seems unlikely that we can upgrade without any problem in Olive.
@regis All versions that have LTI 1.3 Assignments and Grades Services (LTI-AGS) are affected (I think it was implemented around version 2.x).
Cherry-picking this commit or creating a new one with just the changes starting on this line fixes the issue.
Cherry-picking a commit in a 3rd-party dependency of edx-platform is really not convenient – not just in Tutor but everywhere. Can you please make a 4.5.1 release with the patch? If not then we will have to fork the dependency and I would really like to avoid doing that. It’s crucial that we make security releases for the current supported Open edX release, and that’s Olive.