18686: Old libraries with known security problems in LimeSurvey 3.28.53

This bug affects 1 person(s).

254

ID	Project	Category	View Status	Date Submitted	Last Update

18686	Bug reports	Security	public	2023-03-15 11:41	2023-03-15 11:48

Reporter	LDBV	Assigned To
Priority	none	Severity	partial_block
Status	new	Resolution	open
Product Version	3.28.x

Summary	18686: Old libraries with known security problems in LimeSurvey 3.28.53
Description	In November 2022 we made a Penetration-Test with our own LimeSurvey V3.28.32 Server. The result was, that several libraries are old and have known security problems. See https://bugs.limesurvey.org/view.php?id=18492 (closed). In the solution of Bug-Report 18492 we were told that with LS version 3.28.50+230221 the problem with old libraries is solved (with the eception of lodash which could not be found). We updated LS to version 3.28.53 and told the Penetration-Test-crew that with the exception of lodash the problem with old libraries with known security problems should be solved. Unfortunately a new Penetration-Test had the result, that 4 libraries still have security problems. Please include actual library-versions in a new Update of LimeSurvey 3.28. Thanks. Select2 4.0.2 You find it here: /limesurvey/tmp/assets/10e53f01/js/select2.full.min.js known security problem: https://security.snyk.io/package/npm/select2/4.0.2 actual library-version is 4.0.13 https://github.com/select2/select2/ bootstrap-switch 3.3.2 You find it here: /limesurvey/tmp/assets/bc285a5f/js/bootstrap-switch.min.js known security problem: https://security.snyk.io/package/npm/bootstrap-switch/3.3.2, there is no more actual library-version (with no security problem) available, but as soon as one is available it should be included https://snyk.io/advisor/npm-package/bootstrap-switch lodash 4.17.15 You find it here: /limesurvey/tmp/assets/65017804/build.min/js/adminsidepanel.js known security problem: https://security.snyk.io/package/npm/lodash/4.17.15, actual library-version is 4.17.21 https://www.npmjs.com/package/lodash?activeTab=versions There is still one old library with no known security problems Bootstrap: 3.4.1 You find it here: /limesurvey/tmp/assets/eada61fb/bootstrap.min.js
Steps To Reproduce	Steps to reproduce (Replace this text with detailed step-by-step instructions on how to reproduce the issue) Expected result (Write here what you expected to happen) Actual result (Write here what happened instead)
Tags	No tags attached.

Bug heat	254
Complete LimeSurvey version number (& build)	3.28.53+230314
I will donate to the project if issue is resolved	No
Browser	Independent of Browser
Database type & version	MySQL 5.7.40
Server OS (if known)	SUSE Linux Enterprise Server 12 SP5
Webserver software & version (if known)	Apache 2.4.51-35.19.1
PHP Version	7.0.7-50.105.1

User List	LDBV

Date Modified	Username	Field	Change
2023-03-15 11:41	LDBV	New Issue
2023-03-15 11:44	LDBV	Issue Monitored: LDBV
2023-03-15 11:44	LDBV	Bug heat	250 => 252
2023-03-15 11:48	LDBV	Note Added: 74120
2023-03-15 11:48	LDBV	Bug heat	252 => 254

View Issue Details

Steps to reproduce

Expected result

Actual result

Users monitoring this issue

Activities

Issue History

LDBV 2023-03-15 11:48 reporter ~74120	Meanwhile we have Apache: 2.4.51-35.22.1 as Webserver