Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 29 Apr 2013 13:30:09 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: Mark Panaghiston <markp@...pyworm.com>
CC: Open Source Security <oss-security@...ts.openwall.com>,
        hello@...pyworm.com
Subject: Re: CVE-2013-1942 jPlayer 2.2.19 XSS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/20/2013 11:19 AM, Mark Panaghiston wrote:
> jPlayer 2.3.0 has been released that officially fixes this issue:
> 
> http://www.jplayer.org/ https://github.com/happyworm/jPlayer
> 
> Tagged as *2.3.0* on GitHub. 
> https://github.com/happyworm/jPlayer/commit/c1c7a4dfa63bb6684d3670202e4a65d400dfce86
>
>  Full Release Notes for jPlayer 2.3.0: 
> http://www.jplayer.org/2.3.0/release-notes/
> 
> In particular these fixes addressed security issues. Listed with
> their GitHub commits for code reference:
> 
> [2.2.20] Security Fix: The Flash SWF had a security vulnerability
> that enabled XSS (Cross Site Scripting). Reported by Malte Batram.
> Security reference CVE-2013-1942
> <https://access.redhat.com/security/cve/>. 
> https://github.com/happyworm/jPlayer/commit/e8ca190f7f972a6a421cb95f09e138720e40ed6d

Sorry
> 
for the late reply. Please use CVE-2013-2022 for this issue.

> [2.2.23] Security Fix: The Flash SWF had a minor security
> vulnerability that enabled XSS (Cross Site Scripting). Reported by
> Eugene Dokukin. 
> https://github.com/happyworm/jPlayer/commit/c5fe17bb4459164bd59153b57248cf94b8867373

Please
> 
use CVE-2013-2023 for this issue.

> Best regards, Mark Panaghiston jPlayer lead developer
> 
> On 11/04/2013 20:47, Kurt Seifried wrote: ownCloud brought this to
> my intention (they use it, I'm guessing other people use it as
> well.
> 
> https://github.com/happyworm/jPlayer/commit/e8ca190f7f972a6a421cb95f09e138720e40ed6d
>
>  Please use CVE-2013-1942 for this issue. The only contact info I
> can find is hello@...pyworm.com for upstream.
> 
> 
> 
> -- 
> ------------------------------------------------------------------------
>
> 
*Mark Panaghiston*
> www.happyworm.com <http://www.happyworm.com/> tel: +44 (0) 131 346
> 8088 skype: mark_panaghiston follow: @thepag
> <http://www.twitter.com/thepag/> 
> ------------------------------------------------------------------------

- --
> 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRfspAAAoJEBYNRVNeJnmTSQsQAJSzXoKJYpLowjwVA/6hll42
Ay/q/rj94sKza/2MULvbX7ItscweRhfrD99GJZnuLBOl+ssqYsHkDk/oUqf5GfF9
F3j7hpk1cUQS6uEtCRn4VzmdqJZwb5y++xDuEG5WJVq1DVgm9qPPZmzkzz1bEuGi
eVKHhzQ/cxSDQn+CQA4PxCu24XU9x+482LlGSfJLH1OAi9fz6ima0mCY/b5mwjV3
1bvGz6Wu6fUWDiK9VrZC7EOzHOAfTPU3os/vkb1T4XSqZztZMzHxhVTnD7e92Ym7
vxIQOrqtOKjAS9SDz7mjEU1yn2UOH2IArW3QSuwG53G0098eVzfPs2aM3NZLadhb
ygycw81x3mUuWlA7U3YuXz6n8xZ/ywcQFnab1aCFt8Kvn1KTaJkZZvOwHgD4sFEF
VhXjdjjSFwORbbF7fwFw0NNyk/2ro5Jat6wz+juCydN4O+21XA+OQCViKC8MsKdL
3fU5UA4Ymc7sqSJSLa8KVCc5Mu1mPf7HlyLaenvW5NJszjJCFI/IEvTQlJ7riBQB
8jdX7JtxCndS8DX/Mx4epn6rxaHSZ6lCtS6ApK/5FcMs6PyR8b2iOemCz+7E2E0O
QqOaflMPYErKD2UifNGW2JOVCSxeMTJzmaRexqn29ziktDfQ17PAZDNZdVff0r4E
2OwwjlbshAu5V5RtaOYK
=Mleh
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.