'[oss-security] Re: CVE-2013-1942 jPlayer 2.2.19 XSS'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: CVE-2013-1942 jPlayer 2.2.19 XSS
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2013-04-29 19:30:09
Message-ID: 517ECA41.8080400 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/20/2013 11:19 AM, Mark Panaghiston wrote:
> jPlayer 2.3.0 has been released that officially fixes this issue:
> 
> http://www.jplayer.org/ https://github.com/happyworm/jPlayer
> 
> Tagged as *2.3.0* on GitHub. 
> https://github.com/happyworm/jPlayer/commit/c1c7a4dfa63bb6684d3670202e4a65d400dfce86
>
>  Full Release Notes for jPlayer 2.3.0: 
> http://www.jplayer.org/2.3.0/release-notes/
> 
> In particular these fixes addressed security issues. Listed with
> their GitHub commits for code reference:
> 
> [2.2.20] Security Fix: The Flash SWF had a security vulnerability
> that enabled XSS (Cross Site Scripting). Reported by Malte Batram.
> Security reference CVE-2013-1942
> <https://access.redhat.com/security/cve/>. 
> https://github.com/happyworm/jPlayer/commit/e8ca190f7f972a6a421cb95f09e138720e40ed6d

Sorry
> 
for the late reply. Please use CVE-2013-2022 for this issue.

> [2.2.23] Security Fix: The Flash SWF had a minor security
> vulnerability that enabled XSS (Cross Site Scripting). Reported by
> Eugene Dokukin. 
> https://github.com/happyworm/jPlayer/commit/c5fe17bb4459164bd59153b57248cf94b8867373

Please
> 
use CVE-2013-2023 for this issue.

> Best regards, Mark Panaghiston jPlayer lead developer
> 
> On 11/04/2013 20:47, Kurt Seifried wrote: ownCloud brought this to
> my intention (they use it, I'm guessing other people use it as
> well.
> 
> https://github.com/happyworm/jPlayer/commit/e8ca190f7f972a6a421cb95f09e138720e40ed6d
>
>  Please use CVE-2013-1942 for this issue. The only contact info I
> can find is hello@happyworm.com for upstream.
> 
> 
> 
> -- 
> ------------------------------------------------------------------------
>
> 
*Mark Panaghiston*
> www.happyworm.com <http://www.happyworm.com/> tel: +44 (0) 131 346
> 8088 skype: mark_panaghiston follow: @thepag
> <http://www.twitter.com/thepag/> 
> ------------------------------------------------------------------------

- --
> 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRfspAAAoJEBYNRVNeJnmTSQsQAJSzXoKJYpLowjwVA/6hll42
Ay/q/rj94sKza/2MULvbX7ItscweRhfrD99GJZnuLBOl+ssqYsHkDk/oUqf5GfF9
F3j7hpk1cUQS6uEtCRn4VzmdqJZwb5y++xDuEG5WJVq1DVgm9qPPZmzkzz1bEuGi
eVKHhzQ/cxSDQn+CQA4PxCu24XU9x+482LlGSfJLH1OAi9fz6ima0mCY/b5mwjV3
1bvGz6Wu6fUWDiK9VrZC7EOzHOAfTPU3os/vkb1T4XSqZztZMzHxhVTnD7e92Ym7
vxIQOrqtOKjAS9SDz7mjEU1yn2UOH2IArW3QSuwG53G0098eVzfPs2aM3NZLadhb
ygycw81x3mUuWlA7U3YuXz6n8xZ/ywcQFnab1aCFt8Kvn1KTaJkZZvOwHgD4sFEF
VhXjdjjSFwORbbF7fwFw0NNyk/2ro5Jat6wz+juCydN4O+21XA+OQCViKC8MsKdL
3fU5UA4Ymc7sqSJSLa8KVCc5Mu1mPf7HlyLaenvW5NJszjJCFI/IEvTQlJ7riBQB
8jdX7JtxCndS8DX/Mx4epn6rxaHSZ6lCtS6ApK/5FcMs6PyR8b2iOemCz+7E2E0O
QqOaflMPYErKD2UifNGW2JOVCSxeMTJzmaRexqn29ziktDfQ17PAZDNZdVff0r4E
2OwwjlbshAu5V5RtaOYK
=Mleh
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic