Skip to content

Update jquery and nodejs#24304

Merged
istio-testing merged 4 commits intoistio:masterfrom
brian-avery:masterUpdateNodeJSJquery
Jun 3, 2020
Merged

Update jquery and nodejs#24304
istio-testing merged 4 commits intoistio:masterfrom
brian-avery:masterUpdateNodeJSJquery

Conversation

@brian-avery
Copy link
Copy Markdown
Member

@brian-avery brian-avery commented Jun 1, 2020
edited
Loading

This updates the nodejs and jquery versions used in bookinfo. This is the master version of #24289

1.4, 1.5, and 1.6 are all based on bookinfo 1.15.0. Master advances to 1.16.0.

Testing done:

Manually tested that all three star versions show up when viewing the website
make test passes
No errors in the browser console.
Note that many tests expect the bookinfo images to already exist and the images do not get built in the pull request process. These tests will fail until the images exist.

This fixes:

NodeJS

  • CVE-2019-15606: HTTP header values do not have trailing OWS trimmed.
  • CVE-2019-15605: HTTP request smuggling using malformed Transfer-Encoding header.
  • CVE-2019-15604: Remotely trigger an assertion on a TLS server with a malformed certificate string.
  • CVE-2020-11080: HTTP/2 Large Settings Frame DoS
  • CVE-2020-10531: ICU-20958 Prevent SEGV_MAPERR in append
  • CVE-2020-81720: TLS session reuse can lead to host certificate verification bypass

jQuery

  • CVE-2016-9251 jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
  • CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
  • CVE-2020-11022: Potential XSS vulnerability in jQuery
  • CVE-2020-8174: napi_get_value_string_*() allows various kinds of memory corruption

@brian-avery brian-avery requested a review from a team as a code owner June 1, 2020 23:17
@googlebot googlebot added the cla: yes Set by the Google CLA bot to indicate the author of a PR has signed the Google CLA. label Jun 1, 2020
@istio-testing istio-testing added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Jun 1, 2020
@brian-avery brian-avery added the do-not-merge/work-in-progress Block merging of a PR because it isn't ready yet. label Jun 1, 2020
@istio-testing istio-testing removed the do-not-merge/work-in-progress Block merging of a PR because it isn't ready yet. label Jun 1, 2020
@brian-avery
Copy link
Copy Markdown
Member Author

brian-avery commented Jun 1, 2020

Adding a cherrypick to 1.5, 1.6, and 1.4 here. Note that the images will have to be published and the hub will have to be updated for them before those can merge.

@ericvn
Copy link
Copy Markdown
Contributor

ericvn commented Jun 2, 2020

LGTM - Waiting on a Node.js update.

@brian-avery
Copy link
Copy Markdown
Member Author

brian-avery commented Jun 3, 2020

/retest

@brian-avery
Copy link
Copy Markdown
Member Author

brian-avery commented Jun 3, 2020

/test integ-distroless-k8s-tests_istio

@istio-testing istio-testing merged commit be3f464 into istio:master Jun 3, 2020
@istio-testing
Copy link
Copy Markdown
Collaborator

istio-testing commented Jun 3, 2020

In response to a cherrypick label: #24304 failed to apply on top of branch "release-1.4":

Using index info to reconstruct a base tree...
M	samples/bookinfo/platform/consul/bookinfo.yaml
M	samples/bookinfo/platform/kube/bookinfo-db.yaml
M	samples/bookinfo/platform/kube/bookinfo-details-v2.yaml
M	samples/bookinfo/platform/kube/bookinfo-details.yaml
M	samples/bookinfo/platform/kube/bookinfo-mysql.yaml
M	samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml
M	samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml
M	samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml
M	samples/bookinfo/platform/kube/bookinfo-ratings.yaml
M	samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml
M	samples/bookinfo/platform/kube/bookinfo.yaml
M	samples/bookinfo/src/ratings/Dockerfile
Falling back to patching base and 3-way merge...
Auto-merging samples/bookinfo/src/ratings/Dockerfile
Auto-merging samples/bookinfo/platform/kube/bookinfo.yaml
CONFLICT (content): Merge conflict in samples/bookinfo/platform/kube/bookinfo.yaml
Auto-merging samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml
CONFLICT (content): Merge conflict in samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml
Auto-merging samples/bookinfo/platform/kube/bookinfo-ratings.yaml
CONFLICT (content): Merge conflict in samples/bookinfo/platform/kube/bookinfo-ratings.yaml
Auto-merging samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml
CONFLICT (content): Merge conflict in samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml
Auto-merging samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml
CONFLICT (content): Merge conflict in samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml
Auto-merging samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml
CONFLICT (content): Merge conflict in samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml
Auto-merging samples/bookinfo/platform/kube/bookinfo-mysql.yaml
CONFLICT (content): Merge conflict in samples/bookinfo/platform/kube/bookinfo-mysql.yaml
Auto-merging samples/bookinfo/platform/kube/bookinfo-details.yaml
CONFLICT (content): Merge conflict in samples/bookinfo/platform/kube/bookinfo-details.yaml
Auto-merging samples/bookinfo/platform/kube/bookinfo-details-v2.yaml
CONFLICT (content): Merge conflict in samples/bookinfo/platform/kube/bookinfo-details-v2.yaml
Auto-merging samples/bookinfo/platform/kube/bookinfo-db.yaml
CONFLICT (content): Merge conflict in samples/bookinfo/platform/kube/bookinfo-db.yaml
Auto-merging samples/bookinfo/platform/consul/bookinfo.yaml
CONFLICT (content): Merge conflict in samples/bookinfo/platform/consul/bookinfo.yaml
error: Failed to merge in the changes.
Patch failed at 0001 Update jquery and nodejs

@istio-testing
Copy link
Copy Markdown
Collaborator

istio-testing commented Jun 3, 2020

In response to a cherrypick label: new issue created for failed cherrypick: #24391

@istio-testing istio-testing mentioned this pull request Jun 3, 2020
Closed
@istio-testing
Copy link
Copy Markdown
Collaborator

istio-testing commented Jun 3, 2020

In response to a cherrypick label: #24304 failed to apply on top of branch "release-1.5":

Using index info to reconstruct a base tree...
M	samples/bookinfo/platform/consul/bookinfo.yaml
M	samples/bookinfo/platform/kube/bookinfo-db.yaml
M	samples/bookinfo/platform/kube/bookinfo-details-v2.yaml
M	samples/bookinfo/platform/kube/bookinfo-details.yaml
M	samples/bookinfo/platform/kube/bookinfo-mysql.yaml
M	samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml
M	samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml
M	samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml
M	samples/bookinfo/platform/kube/bookinfo-ratings.yaml
M	samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml
M	samples/bookinfo/platform/kube/bookinfo.yaml
M	samples/bookinfo/src/ratings/Dockerfile
Falling back to patching base and 3-way merge...
Auto-merging samples/bookinfo/src/ratings/Dockerfile
Auto-merging samples/bookinfo/platform/kube/bookinfo.yaml
CONFLICT (content): Merge conflict in samples/bookinfo/platform/kube/bookinfo.yaml
Auto-merging samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml
CONFLICT (content): Merge conflict in samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml
Auto-merging samples/bookinfo/platform/kube/bookinfo-ratings.yaml
CONFLICT (content): Merge conflict in samples/bookinfo/platform/kube/bookinfo-ratings.yaml
Auto-merging samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml
CONFLICT (content): Merge conflict in samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml
Auto-merging samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml
CONFLICT (content): Merge conflict in samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml
Auto-merging samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml
CONFLICT (content): Merge conflict in samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml
Auto-merging samples/bookinfo/platform/kube/bookinfo-mysql.yaml
CONFLICT (content): Merge conflict in samples/bookinfo/platform/kube/bookinfo-mysql.yaml
Auto-merging samples/bookinfo/platform/kube/bookinfo-details.yaml
CONFLICT (content): Merge conflict in samples/bookinfo/platform/kube/bookinfo-details.yaml
Auto-merging samples/bookinfo/platform/kube/bookinfo-details-v2.yaml
CONFLICT (content): Merge conflict in samples/bookinfo/platform/kube/bookinfo-details-v2.yaml
Auto-merging samples/bookinfo/platform/kube/bookinfo-db.yaml
CONFLICT (content): Merge conflict in samples/bookinfo/platform/kube/bookinfo-db.yaml
Auto-merging samples/bookinfo/platform/consul/bookinfo.yaml
CONFLICT (content): Merge conflict in samples/bookinfo/platform/consul/bookinfo.yaml
error: Failed to merge in the changes.
Patch failed at 0001 Update jquery and nodejs

@istio-testing istio-testing mentioned this pull request Jun 3, 2020
Closed
@istio-testing
Copy link
Copy Markdown
Collaborator

istio-testing commented Jun 3, 2020

In response to a cherrypick label: new issue created for failed cherrypick: #24392

@istio-testing
Copy link
Copy Markdown
Collaborator

istio-testing commented Jun 3, 2020

In response to a cherrypick label: #24304 failed to apply on top of branch "release-1.6":

Using index info to reconstruct a base tree...
M	samples/bookinfo/platform/consul/bookinfo.yaml
M	samples/bookinfo/platform/kube/bookinfo-db.yaml
M	samples/bookinfo/platform/kube/bookinfo-details-v2.yaml
M	samples/bookinfo/platform/kube/bookinfo-details.yaml
M	samples/bookinfo/platform/kube/bookinfo-mysql.yaml
M	samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml
M	samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml
M	samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml
M	samples/bookinfo/platform/kube/bookinfo-ratings.yaml
M	samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml
M	samples/bookinfo/platform/kube/bookinfo.yaml
M	samples/bookinfo/src/ratings/Dockerfile
Falling back to patching base and 3-way merge...
Auto-merging samples/bookinfo/src/ratings/Dockerfile
Auto-merging samples/bookinfo/platform/kube/bookinfo.yaml
CONFLICT (content): Merge conflict in samples/bookinfo/platform/kube/bookinfo.yaml
Auto-merging samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml
CONFLICT (content): Merge conflict in samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml
Auto-merging samples/bookinfo/platform/kube/bookinfo-ratings.yaml
CONFLICT (content): Merge conflict in samples/bookinfo/platform/kube/bookinfo-ratings.yaml
Auto-merging samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml
CONFLICT (content): Merge conflict in samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml
Auto-merging samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml
CONFLICT (content): Merge conflict in samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml
Auto-merging samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml
CONFLICT (content): Merge conflict in samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml
Auto-merging samples/bookinfo/platform/kube/bookinfo-mysql.yaml
CONFLICT (content): Merge conflict in samples/bookinfo/platform/kube/bookinfo-mysql.yaml
Auto-merging samples/bookinfo/platform/kube/bookinfo-details.yaml
CONFLICT (content): Merge conflict in samples/bookinfo/platform/kube/bookinfo-details.yaml
Auto-merging samples/bookinfo/platform/kube/bookinfo-details-v2.yaml
CONFLICT (content): Merge conflict in samples/bookinfo/platform/kube/bookinfo-details-v2.yaml
Auto-merging samples/bookinfo/platform/kube/bookinfo-db.yaml
CONFLICT (content): Merge conflict in samples/bookinfo/platform/kube/bookinfo-db.yaml
Auto-merging samples/bookinfo/platform/consul/bookinfo.yaml
CONFLICT (content): Merge conflict in samples/bookinfo/platform/consul/bookinfo.yaml
error: Failed to merge in the changes.
Patch failed at 0001 Update jquery and nodejs

@istio-testing istio-testing mentioned this pull request Jun 3, 2020
Closed
@istio-testing
Copy link
Copy Markdown
Collaborator

istio-testing commented Jun 3, 2020

In response to a cherrypick label: new issue created for failed cherrypick: #24393

@brian-avery brian-avery mentioned this pull request Jun 3, 2020
Merged
nschhina pushed a commit to nschhina/istio that referenced this pull request Jun 18, 2020
@brian-avery @nschhina
Update jquery and nodejs (istio#24304)
37ba064 
* Update jquery and nodejs

* Update docker hub.

* Removed hardcoded version

* Updated to node 12.18
@shamsher31 shamsher31 mentioned this pull request Jun 25, 2020
Merged
@ericvn ericvn mentioned this pull request Feb 4, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ericvn ericvn ericvn approved these changes

Assignees

No one assigned

Labels

cla: yes Set by the Google CLA bot to indicate the author of a PR has signed the Google CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@brian-avery @ericvn @istio-testing @googlebot