Your message dated Sat, 7 May 2016 10:41:29 -0400
with message-id <[email protected]>
and subject line Re: Bug#823649: libjs-mediaelement: Reflected XSS vulnerability
has caused the Debian Bug report #823649,
regarding libjs-mediaelement: Reflected XSS vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
823649: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823649
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libjs-mediaelement
Version: 2.15.1+dfsg-1
Severity: important
Tags: security upstream
I saw this regarding the wordpress 4.5.2 release[1]. MediaElement.js is
vulnerable to a reflected XSS attack. The wordpress patch is at [2]
but I cannot exactly find what has changed but I think it is the
url has the time added to randomize it more. [3]
1: https://wordpress.org/news/2016/05/wordpress-4-5-2/
2: https://core.trac.wordpress.org/changeset/37370
3:
https://github.com/johndyer/mediaelement/commit/34834eef8ac830b9145df169ec22016a4350f06e
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.4.0-1-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
libjs-mediaelement depends on no packages.
Versions of packages libjs-mediaelement recommends:
ii libjs-jquery 1.11.3+dfsg-4
libjs-mediaelement suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Hi,
On Sat, May 07, 2016 at 10:18:37AM -0400, David Prévot wrote:
> On Sat, May 07, 2016 at 11:58:22AM +1000, Craig Small wrote:
> > Package: libjs-mediaelement
> > Version: 2.15.1+dfsg-1
> > Severity: important
> > Tags: security upstream
> > MediaElement.js is
> > vulnerable to a reflected XSS attack. The wordpress patch is at [2]
> > but I cannot exactly find what has changed but I think it is the
> > url has the time added to randomize it more. [3]
>
> Looks like the issue is confined in the Flash player that is disabled in
> Debian, so we should be on the safe side.
I confirm that the affected parts have already been stripped away from
the Debian package, so this issue doesn’t affect us at all, and there is
nothing to fix here.
Regards
David
signature.asc
Description: PGP signature
--- End Message ---
