Date: Thu, 27 Jun 2013 12:57:07 -0400 (EDT) From: "Steven M. Christey" <coley@...re.org> To: oss-security@...ts.openwall.com, kseifried@...hat.com cc: Salvatore Bonaccorso <carnil@...ian.org>, Mark Panaghiston <markp@...pyworm.com>, hello@...pyworm.com Subject: Re: Re: CVE-2013-1942 jPlayer 2.2.19 XSS Kurt, Your CVE assignment posts from  and  appear to be inconsistent, and there are some questions about affected versions, so I wanted to get some clarity about which CVEs go with which issues. 1) CVE-2013-1942 - fixed in 2.2.20. Commit: e8ca190f7f972a6a421cb95f09e138720e40ed6d This one doesn't seem to have any issues. 2) CVE-2013-2022 - based on  CVE-2013-2022 is listed after a section that talks about an XSS fixed in 2.3.0 (which also includes the CVE-2013-1942 assignment). However, in  you say "CVE-2013-2022 is for jPlayer 2.2.20 XSS" but http://www.jplayer.org/2.3.0/release-notes/ says that CVE-2013-2022 is fixed in 2.2.23. (Maybe when you said 2.2.20, this also covered other unfixed versions UNTIL 2.2.23). 3) CVE-2013-2023 - in  you assign CVE-2013-2023 to the security fix that quotes the jPlayer changelog entry for 2.2.23 - which, as just mentioned in the previous bullet, you already described as being associated with CVE-2013-2022. In , you also state that CVE-2013-2023 is for jPlayer 2.2.23 XSS. 4) There is no mention of issues that are FIXED in 2.3.0 based on upstream changelog, but http://www.jplayer.org/2.4.0/release-notes/ lists fixes in both 2.3.1 and 2.3.2. 5) According to jPlayer release notes, we have: [2.3.1] Security Fix: The Flash SWF had a minor security vulnerability that enabled XSS (Cross Site Scripting). Reported by Eugene Dokukin. Security reference CVE-2013-2023. [2.3.2] Security Fix: Closed Flash SWF security vulnerability that enabled XSS (Cross Site Scripting). Reported by Eugene Dokukin. Security reference CVE-2013-2023. The jPlayer noConflict option is now restricted to strings that contain the term jQuery. For example: lib.jQuery or myjQueryRocks. [2.2.20] Security Fix: The Flash SWF had a security vulnerability that enabled XSS (Cross Site Scripting). Reported by Malte Batram. Security reference CVE-2013-1942. [2.2.23] Security Fix: The Flash SWF had a minor security vulnerability that enabled XSS (Cross Site Scripting). Reported by Eugene Dokukin. Security reference CVE-2013-2022. I'm of the mindset to use the CVE assignments as provided by jQuery upstream, but it may be good to get full clarity down to the individual commits.  http://marc.info/?l=oss-security&m=136726705917858&w=2  http://marc.info/?l=oss-security&m=136773622321563&w=2
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ