Bug #1839
closedCross-site scripting in jPlayer
0%
Description
Wt is shipping an old version of jPlayer plagued by security issues, the most recent of them CVE-2013-1942
Updated by Koen Deforche over 11 years ago
- Status changed from New to Resolved
- Target version changed from 3.3.0 to 3.3.1
Hey Pau,
Apparently ony the JavaScript got updated in 2.2.0. Feel free to backport this to 3.3.0 for debian if you think it's an issue (but I think not ?).
Regards,
koen
Updated by Pau Garcia i Quiles over 11 years ago
Koen,
The Flash has also been updated since jPlayer 2.0.x, which is what Wt 3.3.0 included. You must update the JavaScript, the Flash and the themes.
Also, 2.2.0 is not the right version to upgrade to. You need at least 2.2.24, which includes the security fixes. The only way to get that version is GitHub (I've been trying to convince the jPlayer developer to do proper releases for minor versions tarballs, branches and tags but it's going to take a bit of time)
Get the JavaScript and the Flash from:
https://github.com/happyworm/jPlayer
And the themes from the zip files (2.2.0)
http://jplayer.org/download/
BTW, jPlayer requires jQuery 1.4.2, you are still shipping 1.4.1pre. The differences are probably small but it might be worth keeping an eye on that.
Updated by Koen Deforche over 11 years ago
- Status changed from Resolved to InProgress
Updated by Koen Deforche over 11 years ago
- Status changed from InProgress to Resolved
Hey Pau,
I've imported version 2.2.24 now, thanks.
Regards,
koen
Updated by Koen Deforche over 11 years ago
- Status changed from Resolved to Closed