[Pkg-owncloud-maintainers] Bug#823649: libjs-mediaelement: Reflected XSS vulnerability

David Prévot taffit at debian.org
Sat May 7 14:18:37 UTC 2016


Hi,

On Sat, May 07, 2016 at 11:58:22AM +1000, Craig Small wrote:
> Package: libjs-mediaelement
> Version: 2.15.1+dfsg-1
> Severity: important
> Tags: security upstream
> 
> I saw this regarding the wordpress 4.5.2 release[1].

Thank you for the heads up.

> MediaElement.js is
> vulnerable to a reflected XSS attack. The wordpress patch is at [2]
> but I cannot exactly find what has changed but I think it is the
> url has the time added to randomize it more. [3]

Looks like the issue is confined in the Flash player that is disabled in
Debian, so we should be on the safe side. I’ll backport the fix anyway
to be on the safer side, thanks.

> 1: https://wordpress.org/news/2016/05/wordpress-4-5-2/
> 2: https://core.trac.wordpress.org/changeset/37370
> 3: https://github.com/johndyer/mediaelement/commit/34834eef8ac830b9145df169ec22016a4350f06e

Regards

David
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-owncloud-maintainers/attachments/20160507/45222312/attachment.sig>


More information about the Pkg-owncloud-maintainers mailing list