Project

General

Profile

Bug #1839

Cross-site scripting in jPlayer

Added by Pau Garcia i Quiles over 8 years ago. Updated about 8 years ago.

Status:
Closed
Priority:
Urgent
Assignee:
Target version:
Start date:
04/13/2013
Due date:
% Done:

0%

Estimated time:

Description

Wt is shipping an old version of jPlayer plagued by security issues, the most recent of them CVE-2013-1942

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1942

#1

Updated by Wim Dumon over 8 years ago

  • Assignee set to Koen Deforche
#2

Updated by Koen Deforche over 8 years ago

  • Status changed from New to Resolved
  • Target version changed from 3.3.0 to 3.3.1

Hey Pau,

Apparently ony the JavaScript got updated in 2.2.0. Feel free to backport this to 3.3.0 for debian if you think it's an issue (but I think not ?).

Regards,

koen

#3

Updated by Pau Garcia i Quiles over 8 years ago

Koen,

The Flash has also been updated since jPlayer 2.0.x, which is what Wt 3.3.0 included. You must update the JavaScript, the Flash and the themes.

Also, 2.2.0 is not the right version to upgrade to. You need at least 2.2.24, which includes the security fixes. The only way to get that version is GitHub (I've been trying to convince the jPlayer developer to do proper releases for minor versions tarballs, branches and tags but it's going to take a bit of time)

Get the JavaScript and the Flash from:

https://github.com/happyworm/jPlayer

And the themes from the zip files (2.2.0)

http://jplayer.org/download/

BTW, jPlayer requires jQuery 1.4.2, you are still shipping 1.4.1pre. The differences are probably small but it might be worth keeping an eye on that.

#4

Updated by Koen Deforche over 8 years ago

  • Status changed from Resolved to InProgress
#5

Updated by Koen Deforche over 8 years ago

  • Status changed from InProgress to Resolved

Hey Pau,

I've imported version 2.2.24 now, thanks.

Regards,

koen

#6

Updated by Koen Deforche about 8 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF