|
Message-ID: <5109EC7A.5060102@redhat.com> Date: Wed, 30 Jan 2013 21:00:58 -0700 From: Kurt Seifried <kseifried@...hat.com> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: jQuery 1.6.2 XSS CVE assignment -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://blog.jquery.com/2011/09/01/jquery-1-6-3-released/ Fix an XSS attack vector: User ma.la reported a common pattern that many sites are using to select elements using location.hash that allows someone to inject script into the page. This practice seemed widespread enough that we decided to modify the selector recognition to prevent script injection for the most common case. Any string passed to $() cannot contain HTML tags (and thus no script) if it has a ?#? character preceding them. See the ticket linked above for more information and a test case. Please use CVE-2011-4969 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRCex6AAoJEBYNRVNeJnmT11YQALSADLnn7aJWe1tUteN496vh ZqZyPrG6X0FGCOx6avLQV9NRUReX01y/ED2Z5mN/oOujCXBIYReOlbdLAXmvl9kU zLSwQ1cyrOUjXRv2Cdwg9Dg8O1VLARg0v0jr30i1WCZGa3ZZxgxh9YXb3u7k3+oJ M5mv+4ztTB6qjcj8k62d0CFEVHRqoU58Quni9qwJ4tKDeidGabg5bFvR5v80LIvq HHdyZLbmOQ+yfpRxEHAkpjncBOhhhCG7oM622qMZFnSYnkA0bf7uLv2KEXHTGrvJ zNOzLinvgDyKZfXR+CFCljb9QxnjyKSeSaVAarOR3iVrSMu46Y/3RgTGClxcv3ay j4MLAVwfKODkIRZw42FvG2Kc/HIc2zFzMo06YSmX8ku8TLwY7ixfj87qksI/K/tg InbJAzbF9gcSmcJHleFjksvE5HfQNncxDHLQvREcILck/lpuLk1K9fEmcy1uBhEw p6WZdBb2ZFQYc4nmYIC+GIHF7j4on5f1+z0CjGDyVvPeOIsLrOJbkld9P/WyWaeh o0DnM/kw4UdghoK1gKnoIJ+JdloxmhPbqWsYST4uHCbPn+D2hCNVS1Js+aTAj47T EsZASWr4O0Bn4eRuAY28MxllNHws9dWiXYCofHnRZ0Nsxuqf2bBXy+nEMLGBTDz8 LNa27cSc2/YJ3xIZJKMl =c6pH -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.