Date: Wed, 03 Jul 2013 22:31:03 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: "Steven M. Christey" <coley@...re.org>, Salvatore Bonaccorso <carnil@...ian.org>, Mark Panaghiston <markp@...pyworm.com>, hello@...pyworm.com Subject: Re: Re: CVE-2013-1942 jPlayer 2.2.19 XSS -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/27/2013 10:57 AM, Steven M. Christey wrote: > > Kurt, > > Your CVE assignment posts from  and  appear to be > inconsistent, and there are some questions about affected versions, > so I wanted to get some clarity about which CVEs go with which > issues. > > 1) CVE-2013-1942 - fixed in 2.2.20. Commit: > e8ca190f7f972a6a421cb95f09e138720e40ed6d > > This one doesn't seem to have any issues. My understanding of this one is that it now filters out \\ < > = which could be previously used to insert content into the parameters passed to the SWF file resulting in XSS. > > 2) CVE-2013-2022 - based on  CVE-2013-2022 is listed after a > section that talks about an XSS fixed in 2.3.0 (which also includes > the CVE-2013-1942 assignment). However, in  you say > "CVE-2013-2022 is for jPlayer 2.2.20 XSS" but > http://www.jplayer.org/2.3.0/release-notes/ says that CVE-2013-2022 > is fixed in 2.2.23. (Maybe when you said 2.2.20, this also covered > other unfixed versions UNTIL 2.2.23). that was probably the case, I typically assume when I assign a CVE that the next release will assign it (because usually people do fix things quickly =). I was going off of http://www.jplayer.org/latest/release-notes/ when I assigned these > 3) CVE-2013-2023 - in  you assign CVE-2013-2023 to the security > fix that quotes the jPlayer changelog entry for 2.2.23 - which, as > just mentioned in the previous bullet, you already described as > being associated with CVE-2013-2022. In , you also state that > CVE-2013-2023 is for jPlayer 2.2.23 XSS. > > 4) There is no mention of issues that are FIXED in 2.3.0 based on > upstream changelog, but > http://www.jplayer.org/2.4.0/release-notes/ lists fixes in both > 2.3.1 and 2.3.2. > 5) According to jPlayer release notes, we have: > > [2.3.1] Security Fix: The Flash SWF had a minor security > vulnerability that enabled XSS (Cross Site Scripting). Reported by > Eugene Dokukin. Security reference CVE-2013-2023. > > [2.3.2] Security Fix: Closed Flash SWF security vulnerability that > enabled XSS (Cross Site Scripting). Reported by Eugene Dokukin. > Security reference CVE-2013-2023. The jPlayer noConflict option is > now restricted to strings that contain the term jQuery. For > example: lib.jQuery or myjQueryRocks. > > [2.2.20] Security Fix: The Flash SWF had a security vulnerability > that enabled XSS (Cross Site Scripting). Reported by Malte Batram. > Security reference CVE-2013-1942. > > [2.2.23] Security Fix: The Flash SWF had a minor security > vulnerability that enabled XSS (Cross Site Scripting). Reported by > Eugene Dokukin. Security reference CVE-2013-2022. > > I'm of the mindset to use the CVE assignments as provided by > jQuery upstream, but it may be good to get full clarity down to the > individual commits. Yeah, partly what happened is I was specifically asked for a cve for jplayer by the ownCloud guys, I looked at the changelog, saw a bunch more and assigned them as best I could. > >  http://marc.info/?l=oss-security&m=136726705917858&w=2 > >  http://marc.info/?l=oss-security&m=136773622321563&w=2 - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJR1PqGAAoJEBYNRVNeJnmT7LkP/12lDuC26SCngF1M8jAoMLdd lyLnjlIxgtJSh1/01JzdTlLUjLoNXCslQKuDuvv9VXPNNhec3CTVF5Gpyqufwnnh 96KaUK8Bb20uBjLRISwoEnS416vZK8WG0RDpDj0jZeBL/cbhzRbJxFvOozM62FWG iHnhRGOHIUm5J+j1DK50eDaSi+gNCCNsYxrYbXzyO34EcpBb48OTDWHK0LC/jelL FvtpiDDwP7pYOMme63e5TRN5WBCwH9VcFeLFaCa8Cfabu6k4qy0IqwUU5wYDvg6C Z5zIROkVSvD1O4zWAdfZqwhpJ0bGKHdFRwQ2TphOiW2aHwOjKy58Brtrfa3qCvrB 7CNqEc9KykxkYwwsoACC6iUnW5CLxOF9Nvm0pWGEB+PZErfYDuS7o3vvDFkb5nNg pnq+icz4M4U3OxRmA1g3EiZEsCwGQzL5pOzZS9IsoofYMuZd5oUuT0N9kZV330Cj JVUvIDwNx5iUb/gpvfh3UXKD6EA2myRmVL5adbEghKh0U4UVg9Dqb20asr/fbQsE YbT2fJTdG/VMPQUA5HXXOpkPlfafDSr016TKD3OvWrhi+P9hrNKJd2A7J7zNf6Tn EM4nvCBMU02mx/aCRPdgagcPCTbjhFVC16yDcTrXaPwI/INxVdCxfnikRDxjXXdb KzQofUuEeBFRyhRySuHR =Cocf -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.