Hello,
A new XSS vulnerability was discovered in my package jquery-jplayer.
Useful information (as listed in the DD Reference) :
- Whether or not the bug is already public
The bug is public and classified as CVE-2013-2023
- Which versions of the package are known to be affected by the bug. Check each version that is present in a supported Debian release, as well as testing and unstable
Upstream versions 2.2.19 and newer are affected, including 2.3.0
Wheezy contains 2.1.0-2, which is upstream's 2.1.0 plus three backported security fixes
Testing contains 2.1.0-2 too
Sid contains 2.3.0-1, which is upstream's 2.3.0, unchanged. I am packaging upstream's 2.3.2 as 2.3.2-1 and it will be ready later today.
- The nature of the fix, if any is available (patches are especially helpful)
Backport of upstream's fixes
- Any fixed packages that you have prepared yourself (send only the .diff.gz and .dsc files and read Section 5.8.5.4, “Preparing packages to address security issues” first)
jquery-jplayer 2.1.0-3 contains the fixes. It is available from mentors:
Debdiff to 2.1.0-2 attached
- Any assistance you can provide to help with testing (exploits, regression testing, etc.)
- Any information needed for the advisory (see Section 5.8.5.3, “Security Advisories”)
Please check CVE-2013-2023