oss-sec mailing list archives
Re: Re: CVE-2013-1942 jPlayer 2.2.19 XSS
From: Salvatore Bonaccorso <carnil () debian org>
Date: Fri, 3 May 2013 19:39:16 +0200
Hi Kurt Have a question about the CVE assignments for these issues: On Mon, Apr 29, 2013 at 01:30:09PM -0600, Kurt Seifried wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/20/2013 11:19 AM, Mark Panaghiston wrote:jPlayer 2.3.0 has been released that officially fixes this issue: http://www.jplayer.org/ https://github.com/happyworm/jPlayer Tagged as *2.3.0* on GitHub. https://github.com/happyworm/jPlayer/commit/c1c7a4dfa63bb6684d3670202e4a65d400dfce86 Full Release Notes for jPlayer 2.3.0: http://www.jplayer.org/2.3.0/release-notes/ In particular these fixes addressed security issues. Listed with their GitHub commits for code reference: [2.2.20] Security Fix: The Flash SWF had a security vulnerability that enabled XSS (Cross Site Scripting). Reported by Malte Batram. Security reference CVE-2013-1942 <https://access.redhat.com/security/cve/>. https://github.com/happyworm/jPlayer/commit/e8ca190f7f972a6a421cb95f09e138720e40ed6dSorryfor the late reply. Please use CVE-2013-2022 for this issue.
In [1] CVE-2013-1942 was assigned, referencing the same commit. [1] http://marc.info/?l=oss-security&m=136570964825921&w=2 Should CVE-2013-1942 thus only be used for owncloud reference, and CVE-2013-2022 and CVE-2013-2023 on other side for jplayer itself? Thanks a lot in advance for clarification! Regards, Salvatore
Current thread:
- Re: CVE-2013-1942 jPlayer 2.2.19 XSS Lukas Reschke (Apr 20)
- <Possible follow-ups>
- Re: CVE-2013-1942 jPlayer 2.2.19 XSS Kurt Seifried (Apr 29)
- Re: Re: CVE-2013-1942 jPlayer 2.2.19 XSS Salvatore Bonaccorso (May 03)
- Re: Re: CVE-2013-1942 jPlayer 2.2.19 XSS Kurt Seifried (May 04)
- Re: Re: CVE-2013-1942 jPlayer 2.2.19 XSS Steven M. Christey (Jun 27)
- Re: Re: CVE-2013-1942 jPlayer 2.2.19 XSS Salvatore Bonaccorso (May 03)