Security patching for Quince

Question

Security patching for Quince

cmltaWt0 opened this issue 7 months ago · 6 comments

This is a Quince security patching request.

@ormsbee published a security advisory last week (forums post here).

The fix was merged to master and backported to redwood and quince master branches.
open-release/quince.master: fix: prevent setting user attributes from JWT in Studio · openedx/edx-platform@3ff69fd · GitHub 2

As discussed during BTR WG meeting - we want to patch the edx-platform via the build process in Tutor and publish a
patch release (17.0.5?).

@regisb

Answer 1 · 2024-05-21T06:50:09.000Z

Just to clarify: you mentioned v16.1.9, but I think you really meant 17.0.5? We want to patch Quince, not Palm, right?

Answer 2 · 2024-05-21T07:00:18.000Z

Yeah, we are going for 17.0.5. The security patch upstream has been merged to master, redwood.master, and quince.master. We don't need any action for palm.

Answer 3 · 2024-05-21T07:36:24.000Z

@regisb @DawoudSheraz Ma bad. 17.0.5 👍
I've updated the description.

Answer 4 · 2024-05-21T08:46:10.000Z

PR for changes in dockerfile #1068.
Once merged, a followup PR will be created for v17.0.5 release.

Answer 5 · 2024-05-22T09:43:51.000Z

PR #1069 for v17.0.5 release

Answer 6 · 2024-05-23T16:39:46.000Z

Solved by #1068