YUI library security risk

YUI library security risk

by Paul M -
Number of replies: 6

We've recently paid for a security assessment on our Moodle offering to clients (core Moodle with various bespoke plugins). The YUI library has been flagged as a security risk because it's an old Javascript library that is no longer maintained. I can't find any information on this but are YUI vulnerabilities patched by the Moodle community, or is it viewed as an accepted risk until the old YUI code has been converted to ES6? And how much of a risk is this? I would welcome anyone's thoughts on this.

Thanks in advance
Paul

Average of ratings: -
In reply to Paul M

Re: YUI library security risk

by Marcus Green -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers
My view is that I worry more about security issues with new software than old software, because there has been more time to identify issues with older software. Generally when software is no longer maintained there is a period of security only updates (I don't know if that is true of YUI). That means that during that period with no new features there will be no new feature code to introduce new bugs. You can get an idea of how seriously the creators of Moodle take security in this forum
https://moodle.org/mod/forum/view.php?id=7128

I would dearly like to see the last vestige of YUI removed from Moodle as it was always "a framework too far" for me. But I don't want it set as the highest of priority and cause other progress to be delayed.
Average of ratings: Useful (3)
In reply to Marcus Green

Re: YUI library security risk

by Brian walker -
> I don't want it set as the highest of priority and cause other progress to be delayed.
I understand kicking the can down the road, but its been 7 years and aren't we running out of road? A lot of organizations just won't permit unsafe-eval headers... for good reason. Case in point: https://moodle.org/mod/forum/discuss.php?d=434639
Average of ratings: Useful (1)
In reply to Paul M

Re: YUI library security risk

by Tim Hunt -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
I am pretty sure that Andrew Lyons has given a good answer to this question before. Try https://moodle.org/mod/forum/discuss.php?d=401257#p1619019 - although it does not specifically address the security question.

The simple answer is that since YUI is no longer supported upstream, we do have to patch any security issues found ourselves. This has been done in the past, but it does not happen very often. (Checking through the history at https://moodle.org/security/ would get you the stats for exactly how often.)
Average of ratings: -
In reply to Tim Hunt

Re: YUI library security risk

by Paul M -
Thanks Tim, that's a very useful post.
Average of ratings: -