[ClusterLabs] jquery in pcs package

[Tony Stocker]

I don't know if this is properly discussed here, or if I need to
address it with Red Hat specifically. So, please bear with me if it's
the latter and not the former.

Running pacemaker + pcs on CentOS-8, installed via yum from the 'High
Availability' repository. Versions: pacemaker (2.0.3-5.el8_2), pcs
(0.10.4-6.el8_2).

Today the security scanner complained about the 'jquery' version
installed as part of the pcs package, stating that due to the jquery
version (1.9.1 and 1.10.1) it was vulnerable to multiple cross-site
scripting vulnerabilities. The binaries in question live here:
/usr/lib/pcsd/public/js/jquery-1.9.1.min.js
/usr/lib/pcsd/public/js/jquery-ui-1.10.1.custom.min.js
As with most security tools, I imagine it's complaining solely based
on version number rather than checking if the binary actually contains
the vulnerabilities.

So, first question: is this jquery something that is maintained,
promulgated by/with the Pacemaker installation? Or is this something
special that Red Hat is doing when they package it?

Second, if this is Pacemaker-maintained (not Red Hat) part of code, is
there a reason that it's such an old version, given that the current
version is 3.5.0, is used?

Finally, if this is Pacemaker-maintained (not Red Hat) part of code,
where can I find the documentation regarding the patching that's been
done to address the various cross-site scripting vulnerabilities? I'm
working under the assumption that the binary has been patched and the
vulnerabilities are no longer present, in which case I have to
document it with security. Obviously if the code has not been patched
and it's still vulnerable, that's a whole different issue.

Thanks.