From 0e8f55798c5eeb745edf4d4a003d746f209e1a5a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9gis=20Behmo?= Date: Tue, 29 Nov 2022 08:45:56 +0100 Subject: [PATCH] sec: fix XSS vulnerability in drag-n-drop v2 xblock Vulnerability is fixed by upgrading the xblock from v2.3.5 to v3.0.0. See announcement: https://discuss.openedx.org/t/upcoming-security-release-xblock-drag-and-drop-v2/8768 --- changelog.d/20221129_083631_regis_sec_drag_n_drop.md | 1 + tutor/templates/build/openedx/Dockerfile | 3 +++ 2 files changed, 4 insertions(+) create mode 100644 changelog.d/20221129_083631_regis_sec_drag_n_drop.md diff --git a/changelog.d/20221129_083631_regis_sec_drag_n_drop.md b/changelog.d/20221129_083631_regis_sec_drag_n_drop.md new file mode 100644 index 0000000..66459a1 --- /dev/null +++ b/changelog.d/20221129_083631_regis_sec_drag_n_drop.md @@ -0,0 +1 @@ +- [Security] Apply drag-n-drop v2 xblock [security patch](https://discuss.openedx.org/t/upcoming-security-release-xblock-drag-and-drop-v2/8768/7). (by @regisb) diff --git a/tutor/templates/build/openedx/Dockerfile b/tutor/templates/build/openedx/Dockerfile index 371b280..1894db7 100644 --- a/tutor/templates/build/openedx/Dockerfile +++ b/tutor/templates/build/openedx/Dockerfile @@ -56,6 +56,9 @@ RUN curl -fsSL https://github.com/overhangio/edx-platform/commit/3f0f9eed42.patc # Fix XSS vulnerability on "next" parameter # https://github.com/overhangio/edx-platform/tree/overhangio/sec-redirect-xss RUN curl -fsSL https://github.com/overhangio/edx-platform/commit/e16f8c0986.patch | git am +# Fix drag-n-drop v2 xblock vulnerability +# https://github.com/openedx/edx-platform/pull/31354 +RUN curl -fsSL https://github.com/overhangio/edx-platform/commit/527b4993ae.patch | git am {%- endif %} {# Example: RUN curl -fsSL https://github.com/openedx/edx-platform/commit/ | git am #}