Hi, On Sat, May 07, 2016 at 11:58:22AM +1000, Craig Small wrote: > Package: libjs-mediaelement > Version: 2.15.1+dfsg-1 > Severity: important > Tags: security upstream > > I saw this regarding the wordpress 4.5.2 release[1].
Thank you for the heads up. > MediaElement.js is > vulnerable to a reflected XSS attack. The wordpress patch is at [2] > but I cannot exactly find what has changed but I think it is the > url has the time added to randomize it more. [3] Looks like the issue is confined in the Flash player that is disabled in Debian, so we should be on the safe side. I’ll backport the fix anyway to be on the safer side, thanks. > 1: https://wordpress.org/news/2016/05/wordpress-4-5-2/ > 2: https://core.trac.wordpress.org/changeset/37370 > 3: > https://github.com/johndyer/mediaelement/commit/34834eef8ac830b9145df169ec22016a4350f06e Regards David
signature.asc
Description: PGP signature