Date: Wed, 03 Jul 2013 22:31:03 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: "Steven M. Christey" <coley@...re.org>, Salvatore Bonaccorso <carnil@...ian.org>, Mark Panaghiston <markp@...pyworm.com>, hello@...pyworm.com Subject: Re: Re: CVE-2013-1942 jPlayer 2.2.19 XSS -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/27/2013 10:57 AM, Steven M. Christey wrote: > > Kurt, > > Your CVE assignment posts from  and  appear to be > inconsistent, and there are some questions about affected versions, > so I wanted to get some clarity about which CVEs go with which > issues. > > 1) CVE-2013-1942 - fixed in 2.2.20. Commit: > e8ca190f7f972a6a421cb95f09e138720e40ed6d > > This one doesn't seem to have any issues. My understanding of this one is that it now filters out \\ < > = which could be previously used to insert content into the parameters passed to the SWF file resulting in XSS. > > 2) CVE-2013-2022 - based on  CVE-2013-2022 is listed after a > section that talks about an XSS fixed in 2.3.0 (which also includes > the CVE-2013-1942 assignment). However, in  you say > "CVE-2013-2022 is for jPlayer 2.2.20 XSS" but > http://www.jplayer.org/2.3.0/release-notes/ says that CVE-2013-2022 > is fixed in 2.2.23. (Maybe when you said 2.2.20, this also covered > other unfixed versions UNTIL 2.2.23). that was probably the case, I typically assume when I assign a CVE that the next release will assign it (because usually people do fix things quickly =). I was going off of http://www.jplayer.org/latest/release-notes/ when I assigned these > 3) CVE-2013-2023 - in  you assign CVE-2013-2023 to the security > fix that quotes the jPlayer changelog entry for 2.2.23 - which, as > just mentioned in the previous bullet, you already described as > being associated with CVE-2013-2022. In , you also state that > CVE-2013-2023 is for jPlayer 2.2.23 XSS. > > 4) There is no mention of issues that are FIXED in 2.3.0 based on > upstream changelog, but > http://www.jplayer.org/2.4.0/release-notes/ lists fixes in both > 2.3.1 and 2.3.2. > 5) According to jPlayer release notes, we have: > > [2.3.1] Security Fix: The Flash SWF had a minor security > vulnerability that enabled XSS (Cross Site Scripting). Reported by > Eugene Dokukin. Security reference CVE-2013-2023. > > [2.3.2] Security Fix: Closed Flash SWF security vulnerability that > enabled XSS (Cross Site Scripting). Reported by Eugene Dokukin. > Security reference CVE-2013-2023. The jPlayer noConflict option is > now restricted to strings that contain the term jQuery. For > example: lib.jQuery or myjQueryRocks. > > [2.2.20] Security Fix: The Flash SWF had a security vulnerability > that enabled XSS (Cross Site Scripting). Reported by Malte Batram. > Security reference CVE-2013-1942. > > [2.2.23] Security Fix: The Flash SWF had a minor security > vulnerability that enabled XSS (Cross Site Scripting). Reported by > Eugene Dokukin. Security reference CVE-2013-2022. > > I'm of the mindset to use the CVE assignments as provided by > jQuery upstream, but it may be good to get full clarity down to the > individual commits. Yeah, partly what happened is I was specifically asked for a cve for jplayer by the ownCloud guys, I looked at the changelog, saw a bunch more and assigned them as best I could. > >  http://marc.info/?l=oss-security&m=136726705917858&w=2 > >  http://marc.info/?l=oss-security&m=136773622321563&w=2 - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJR1PqGAAoJEBYNRVNeJnmT7LkP/12lDuC26SCngF1M8jAoMLdd lyLnjlIxgtJSh1/01JzdTlLUjLoNXCslQKuDuvv9VXPNNhec3CTVF5Gpyqufwnnh 96KaUK8Bb20uBjLRISwoEnS416vZK8WG0RDpDj0jZeBL/cbhzRbJxFvOozM62FWG iHnhRGOHIUm5J+j1DK50eDaSi+gNCCNsYxrYbXzyO34EcpBb48OTDWHK0LC/jelL FvtpiDDwP7pYOMme63e5TRN5WBCwH9VcFeLFaCa8Cfabu6k4qy0IqwUU5wYDvg6C Z5zIROkVSvD1O4zWAdfZqwhpJ0bGKHdFRwQ2TphOiW2aHwOjKy58Brtrfa3qCvrB 7CNqEc9KykxkYwwsoACC6iUnW5CLxOF9Nvm0pWGEB+PZErfYDuS7o3vvDFkb5nNg pnq+icz4M4U3OxRmA1g3EiZEsCwGQzL5pOzZS9IsoofYMuZd5oUuT0N9kZV330Cj JVUvIDwNx5iUb/gpvfh3UXKD6EA2myRmVL5adbEghKh0U4UVg9Dqb20asr/fbQsE YbT2fJTdG/VMPQUA5HXXOpkPlfafDSr016TKD3OvWrhi+P9hrNKJd2A7J7zNf6Tn EM4nvCBMU02mx/aCRPdgagcPCTbjhFVC16yDcTrXaPwI/INxVdCxfnikRDxjXXdb KzQofUuEeBFRyhRySuHR =Cocf -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ