Included libraries need to be upgraded.

[otatarintseva]

Hello, we wanted to use this plugin, but found some included libraries in old versions. Some of them have newer versions with security updates. The libraries are listed below:

• jquery: jQWidgets used version: 4.1.2 (April-28-2016) latest version: 6.0.6 ( August 13, 2018) https://www.jqwidgets.com/tag/jqwidgets/
• tcpdf: used version: 3, 29 June 2007 latest version: 6.2.25 https://github.com/tecnickcom/TCPDF/blob/master/CHANGELOG.TXT 6.2.22
  • Fix for security vulnerability: Using the phar:// wrapper it was possible to trigger the unserialization of user provided data. 6.2.19
  • Merge various fixes for PHP 7.3 compatibility and security. 6.2.0 (2014-12-10)
  • Bug #1005 "Security Report, LFI posting internal files externally abusing default parameter" was fixed. 6.0.093 (2014-09-02)
  • Security fix: some serialize/unserialize methods were replaced with json_encode/json_decode to avoid a potential object injection with user supplied content. Thanks to ownCloud Inc. for reporting this issue. ...
• timeline_api_2.3.0: used version: 2.3.0 latest version: 2.3.1 and pre 2.4.0 https://github.com/simile-widgets/timeline
• xpdf: used version: 3.02 (2007-feb-27) latest version: 4.00 (2017-aug-10) http://www.xpdfreader.com/download.html Fixed a security hole in SecurityHandler.cc (uninitialized variables). This vulnerability was discovered by Kushal Shah of Fortinet's FortiGuard Labs. Fixed a security hole in Function.cc (write past end of array). Fixed a security hole with the use of d0/d1 operators outside of a Type3 CharProc [CVE-2016-9027].

We want also to report one files structure issue below: local/vflibs/timelinelib.php lines 153, 157,161 - uses mkdir($CFG->dataroot.'/'.$COURSE->id.'/...', 0777). It should make temporary folders in $CFG->dataroot.'/temp' since Moodle 2.0: https://docs.moodle.org/21/en/Creating_Moodle_site_data_directory/Data_directory

[vfremaux]

thanks to report...

I'm going to schedule a security purposed refactor of VFlibs asap

Cheers ! Valery

Le mer. 24 oct. 2018 à 17:12, otatarintseva notifications@github.com a écrit :

Hello, we wanted to use this plugin, but found some included libraries in old versions. Some of them have newer versions with security updates. The libraries are listed below:

• jquery: jQWidgets used version: 4.1.2 (April-28-2016) latest version: 6.0.6 ( August 13, 2018) https://www.jqwidgets.com/tag/jqwidgets/
• tcpdf: used version: 3, 29 June 2007 latest version: 6.2.25 https://github.com/tecnickcom/TCPDF/blob/master/CHANGELOG.TXT 6.2.22
• Fix for security vulnerability: Using the phar:// wrapper it was possible to trigger the unserialization of user provided data. 6.2.19
• Merge various fixes for PHP 7.3 compatibility and security. 6.2.0 (2014-12-10)
• Bug #1005 "Security Report, LFI posting internal files externally abusing default parameter" was fixed. 6.0.093 (2014-09-02)
• Security fix: some serialize/unserialize methods were replaced with json_encode/json_decode to avoid a potential object injection with user supplied content. Thanks to ownCloud Inc. for reporting this issue. ...
• timeline_api_2.3.0: used version: 2.3.0 latest version: 2.3.1 and pre 2.4.0 https://github.com/simile-widgets/timeline
• xpdf: used version: 3.02 (2007-feb-27) latest version: 4.00 (2017-aug-10) http://www.xpdfreader.com/download.html Fixed a security hole in SecurityHandler.cc (uninitialized variables). This vulnerability was discovered by Kushal Shah of Fortinet's FortiGuard Labs. Fixed a security hole in Function.cc (write past end of array). Fixed a security hole with the use of d0/d1 operators outside of a Type3 CharProc [CVE-2016-9027].

We want also to report one files structure issue below: local/vflibs/timelinelib.php lines 153, 157,161 - uses mkdir($CFG->dataroot.'/'.$COURSE->id.'/...', 0777). It should make temporary folders in $CFG->dataroot.'/temp' since Moodle 2.0: https://docs.moodle.org/21/en/Creating_Moodle_site_data_directory/Data_directory

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/vfremaux/moodle-local_vflibs/issues/1, or mute the thread https://github.com/notifications/unsubscribe-auth/ABrId_RCEa5YFUygHWOWPSlj4DUH3NqNks5uoINqgaJpZM4X4Jzd .