YUI library security risk

YUI library security risk

Paul M -
回帖数:6

We've recently paid for a security assessment on our Moodle offering to clients (core Moodle with various bespoke plugins). The YUI library has been flagged as a security risk because it's an old Javascript library that is no longer maintained. I can't find any information on this but are YUI vulnerabilities patched by the Moodle community, or is it viewed as an accepted risk until the old YUI code has been converted to ES6? And how much of a risk is this? I would welcome anyone's thoughts on this.

Thanks in advance
Paul

平均分: -
回复Paul M

Re: YUI library security risk

Marcus Green -
Core developers的头像 Particularly helpful Moodlers的头像 Plugin developers的头像 Testers的头像
My view is that I worry more about security issues with new software than old software, because there has been more time to identify issues with older software. Generally when software is no longer maintained there is a period of security only updates (I don't know if that is true of YUI). That means that during that period with no new features there will be no new feature code to introduce new bugs. You can get an idea of how seriously the creators of Moodle take security in this forum
https://moodle.org/mod/forum/view.php?id=7128

I would dearly like to see the last vestige of YUI removed from Moodle as it was always "a framework too far" for me. But I don't want it set as the highest of priority and cause other progress to be delayed.
平均分:Useful (3)
回复Marcus Green

Re: YUI library security risk

Brian walker -
> I don't want it set as the highest of priority and cause other progress to be delayed.
I understand kicking the can down the road, but its been 7 years and aren't we running out of road? A lot of organizations just won't permit unsafe-eval headers... for good reason. Case in point: https://moodle.org/mod/forum/discuss.php?d=434639
平均分:Useful (1)
回复Paul M

Re: YUI library security risk

Tim Hunt -
Core developers的头像 Documentation writers的头像 Particularly helpful Moodlers的头像 Peer reviewers的头像 Plugin developers的头像
I am pretty sure that Andrew Lyons has given a good answer to this question before. Try https://moodle.org/mod/forum/discuss.php?d=401257#p1619019 - although it does not specifically address the security question.

The simple answer is that since YUI is no longer supported upstream, we do have to patch any security issues found ourselves. This has been done in the past, but it does not happen very often. (Checking through the history at https://moodle.org/security/ would get you the stats for exactly how often.)
平均分: -