Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 05 May 2013 00:43:20 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: Salvatore Bonaccorso <carnil@...ian.org>
CC: oss-security@...ts.openwall.com, Mark Panaghiston <markp@...pyworm.com>,
        hello@...pyworm.com
Subject: Re: Re: CVE-2013-1942 jPlayer 2.2.19 XSS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/03/2013 11:39 AM, Salvatore Bonaccorso wrote:
> Hi Kurt
> 
> Have a question about the CVE assignments for these issues:
> 
> On Mon, Apr 29, 2013 at 01:30:09PM -0600, Kurt Seifried wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> On 04/20/2013 11:19 AM, Mark Panaghiston wrote:
>>> jPlayer 2.3.0 has been released that officially fixes this
>>> issue:
>>> 
>>> http://www.jplayer.org/ https://github.com/happyworm/jPlayer
>>> 
>>> Tagged as *2.3.0* on GitHub. 
>>> https://github.com/happyworm/jPlayer/commit/c1c7a4dfa63bb6684d3670202e4a65d400dfce86
>>>
>>>
>>> 
Full Release Notes for jPlayer 2.3.0:
>>> http://www.jplayer.org/2.3.0/release-notes/
>>> 
>>> In particular these fixes addressed security issues. Listed
>>> with their GitHub commits for code reference:
>>> 
>>> [2.2.20] Security Fix: The Flash SWF had a security
>>> vulnerability that enabled XSS (Cross Site Scripting). Reported
>>> by Malte Batram. Security reference CVE-2013-1942 
>>> <https://access.redhat.com/security/cve/>. 
>>> https://github.com/happyworm/jPlayer/commit/e8ca190f7f972a6a421cb95f09e138720e40ed6d
>>
>>
>>> 
Sorry
>>> 
>> for the late reply. Please use CVE-2013-2022 for this issue.
> 
> In [1] CVE-2013-1942 was assigned, referencing the same commit.
> 
> [1] http://marc.info/?l=oss-security&m=136570964825921&w=2
> 
> Should CVE-2013-1942 thus only be used for owncloud reference, and

CVE-2013-1942 was assigned for jPlayer 2.2.19 XSS, which is included
in ownCloud (and possibly other things?).

> CVE-2013-2022 and CVE-2013-2023 on other side for jplayer itself?

CVE-2013-2022 is for jPlayer 2.2.20 XSS

CVE-2013-2023 is for jPlayer 2.2.23 XSS

So XSS's in 3 different versions of jPlayer.

> Thanks a lot in advance for clarification!
> 
> Regards, Salvatore
> 


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRhf+IAAoJEBYNRVNeJnmTwysP/ijU/g4q3xhC/ifamEIRGw2I
2gseRc4FIhzhK+hubYU/jgMZGJICX2kIPrKBvjkZ4Z4Zu/oS+a9ixVBfdftgQSSz
xCBfQWNq4mSe1cdnvVk9xJYXLcomVectiQwbFsAnLqMwPGJVvWEuggPV05BSrQB2
l5Xt2s0SyU15t8DzGs7OffEgQWaVE2q9q1B6Q2cYoAmKKc/7CrCipxOj6pbvVrqb
+wThxpbakSm8rUgOaeZoPQieD6S0Eu6RIYNEtfOga2p21AUHX27ai+0npd7lL/ZH
SBZv2XtpBEDxkADqinbF/iaIUH3TqxvBbmMUMNHU1+Q9jTsWFb25zQXx83XXZvbL
ii3YnfnEjzQNeYJVUOjoESMy47ZsCXuYx6FVuw6v/SGwmYBoCAhgbyfcmTuaJjE9
+U9Zsr4LifPgTa2y5tPDAzTjKMuPwMAmHAK3F7A9kmkpxlE5wTCYHqOiCxb7tvfW
l3KHpOziaHMghOyEsIvuv07V92RzddaS5FMRGCfRl64wtzX11zdnDt/CJuKYL2R3
p+rLW6REAsiZG8XGAus8YgNcO+nles7Fw1rFdEz6f2RaE7Fc9vijxdNxHYk5xeXN
ZamJGoUVlDQEuiWwLpTkkauYwUsI52TwzUxhuH0mPx0GL5BpGKa6Xz9HxTvZ0DDU
zWjmUP7DYhXy/GVmxy6a
=p3dO
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.