Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 30 Jan 2013 21:00:58 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: jQuery 1.6.2 XSS CVE assignment

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://blog.jquery.com/2011/09/01/jquery-1-6-3-released/

Fix an XSS attack vector: User ma.la reported a common pattern that
many sites are using to select elements using location.hash that
allows someone to inject script into the page. This practice seemed
widespread enough that we decided to modify the selector recognition
to prevent script injection for the most common case. Any string
passed to $() cannot contain HTML tags (and thus no script) if it has
a ?#? character preceding them. See the ticket linked above for more
information and a test case.

Please use CVE-2011-4969 for this issue.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRCex6AAoJEBYNRVNeJnmT11YQALSADLnn7aJWe1tUteN496vh
ZqZyPrG6X0FGCOx6avLQV9NRUReX01y/ED2Z5mN/oOujCXBIYReOlbdLAXmvl9kU
zLSwQ1cyrOUjXRv2Cdwg9Dg8O1VLARg0v0jr30i1WCZGa3ZZxgxh9YXb3u7k3+oJ
M5mv+4ztTB6qjcj8k62d0CFEVHRqoU58Quni9qwJ4tKDeidGabg5bFvR5v80LIvq
HHdyZLbmOQ+yfpRxEHAkpjncBOhhhCG7oM622qMZFnSYnkA0bf7uLv2KEXHTGrvJ
zNOzLinvgDyKZfXR+CFCljb9QxnjyKSeSaVAarOR3iVrSMu46Y/3RgTGClxcv3ay
j4MLAVwfKODkIRZw42FvG2Kc/HIc2zFzMo06YSmX8ku8TLwY7ixfj87qksI/K/tg
InbJAzbF9gcSmcJHleFjksvE5HfQNncxDHLQvREcILck/lpuLk1K9fEmcy1uBhEw
p6WZdBb2ZFQYc4nmYIC+GIHF7j4on5f1+z0CjGDyVvPeOIsLrOJbkld9P/WyWaeh
o0DnM/kw4UdghoK1gKnoIJ+JdloxmhPbqWsYST4uHCbPn+D2hCNVS1Js+aTAj47T
EsZASWr4O0Bn4eRuAY28MxllNHws9dWiXYCofHnRZ0Nsxuqf2bBXy+nEMLGBTDz8
LNa27cSc2/YJ3xIZJKMl
=c6pH
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ