[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Re: CVE-2013-1942 jPlayer 2.2.19 XSS
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2013-05-05 6:43:20
Message-ID: 5185FF88.8050909 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/03/2013 11:39 AM, Salvatore Bonaccorso wrote:
> Hi Kurt
> 
> Have a question about the CVE assignments for these issues:
> 
> On Mon, Apr 29, 2013 at 01:30:09PM -0600, Kurt Seifried wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> On 04/20/2013 11:19 AM, Mark Panaghiston wrote:
>>> jPlayer 2.3.0 has been released that officially fixes this
>>> issue:
>>> 
>>> http://www.jplayer.org/ https://github.com/happyworm/jPlayer
>>> 
>>> Tagged as *2.3.0* on GitHub. 
>>> https://github.com/happyworm/jPlayer/commit/c1c7a4dfa63bb6684d3670202e4a65d400dfce86
>>>
>>>
>>> 
Full Release Notes for jPlayer 2.3.0:
>>> http://www.jplayer.org/2.3.0/release-notes/
>>> 
>>> In particular these fixes addressed security issues. Listed
>>> with their GitHub commits for code reference:
>>> 
>>> [2.2.20] Security Fix: The Flash SWF had a security
>>> vulnerability that enabled XSS (Cross Site Scripting). Reported
>>> by Malte Batram. Security reference CVE-2013-1942 
>>> <https://access.redhat.com/security/cve/>. 
>>> https://github.com/happyworm/jPlayer/commit/e8ca190f7f972a6a421cb95f09e138720e40ed6d
>>
>>
>>> 
Sorry
>>> 
>> for the late reply. Please use CVE-2013-2022 for this issue.
> 
> In [1] CVE-2013-1942 was assigned, referencing the same commit.
> 
> [1] http://marc.info/?l=oss-security&m=136570964825921&w=2
> 
> Should CVE-2013-1942 thus only be used for owncloud reference, and

CVE-2013-1942 was assigned for jPlayer 2.2.19 XSS, which is included
in ownCloud (and possibly other things?).

> CVE-2013-2022 and CVE-2013-2023 on other side for jplayer itself?

CVE-2013-2022 is for jPlayer 2.2.20 XSS

CVE-2013-2023 is for jPlayer 2.2.23 XSS

So XSS's in 3 different versions of jPlayer.

> Thanks a lot in advance for clarification!
> 
> Regards, Salvatore
> 


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRhf+IAAoJEBYNRVNeJnmTwysP/ijU/g4q3xhC/ifamEIRGw2I
2gseRc4FIhzhK+hubYU/jgMZGJICX2kIPrKBvjkZ4Z4Zu/oS+a9ixVBfdftgQSSz
xCBfQWNq4mSe1cdnvVk9xJYXLcomVectiQwbFsAnLqMwPGJVvWEuggPV05BSrQB2
l5Xt2s0SyU15t8DzGs7OffEgQWaVE2q9q1B6Q2cYoAmKKc/7CrCipxOj6pbvVrqb
+wThxpbakSm8rUgOaeZoPQieD6S0Eu6RIYNEtfOga2p21AUHX27ai+0npd7lL/ZH
SBZv2XtpBEDxkADqinbF/iaIUH3TqxvBbmMUMNHU1+Q9jTsWFb25zQXx83XXZvbL
ii3YnfnEjzQNeYJVUOjoESMy47ZsCXuYx6FVuw6v/SGwmYBoCAhgbyfcmTuaJjE9
+U9Zsr4LifPgTa2y5tPDAzTjKMuPwMAmHAK3F7A9kmkpxlE5wTCYHqOiCxb7tvfW
l3KHpOziaHMghOyEsIvuv07V92RzddaS5FMRGCfRl64wtzX11zdnDt/CJuKYL2R3
p+rLW6REAsiZG8XGAus8YgNcO+nles7Fw1rFdEz6f2RaE7Fc9vijxdNxHYk5xeXN
ZamJGoUVlDQEuiWwLpTkkauYwUsI52TwzUxhuH0mPx0GL5BpGKa6Xz9HxTvZ0DDU
zWjmUP7DYhXy/GVmxy6a
=p3dO
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic