[Bug 1166041] CVE-2010-5312 jquery-ui: XSS vulnerability in jQuery.ui.dialog title option
bugzilla at redhat.com
bugzilla at redhat.com
Thu Nov 20 12:12:38 UTC 2014
https://bugzilla.redhat.com/show_bug.cgi?id=1166041
Vasyl Kaigorodov <vkaigoro at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|impact=moderate,public=2010 |impact=moderate,public=2010
|0903,reported=20141120,sour |0903,reported=20141120,sour
|ce=internet,cvss2=4.3/AV:N/ |ce=internet,cvss2=4.3/AV:N/
|AC:M/Au:N/C:N/I:P/A:N,fedor |AC:M/Au:N/C:N/I:P/A:N,fedor
|a-all/asterisk-gui=affected |a-all/asterisk-gui=affected
|,fedora-all/beacon=affected |,fedora-all/beacon=affected
|,fedora-all/blender=affecte |,fedora-all/blender=affecte
|d,fedora-all/bodhi=affected |d,fedora-all/bodhi=affected
|,fedora-all/cacti=affected, |,fedora-all/cacti=affected,
|fedora-all/calibre=affected |fedora-all/calibre=affected
|,fedora-all/cinnamon=affect |,fedora-all/cinnamon=notaff
|ed,fedora-all/ckeditor=affe |ected,fedora-all/ckeditor=a
|cted,fedora-all/cobbler=aff |ffected,fedora-all/cobbler=
|ected,fedora-all/couchdb=af |affected,fedora-all/couchdb
|fected,fedora-all/cumin=aff |=affected,fedora-all/cumin=
|ected,fedora-all/django-typ |affected,fedora-all/django-
|epad=affected,fedora-all/dl |typepad=affected,fedora-all
|=affected,fedora-all/dokuwi |/dl=affected,fedora-all/dok
|ki=affected,fedora-all/drup |uwiki=affected,fedora-all/d
|al6=affected,fedora-all/dru |rupal6=affected,fedora-all/
|pal7=affected,fedora-all/dr |drupal7=affected,fedora-all
|upal7-jquery_update=affecte |/drupal7-jquery_update=affe
|d,fedora-all/fish=affected, |cted,fedora-all/fish=affect
|fedora-all/fityk=affected,f |ed,fedora-all/fityk=affecte
|edora-all/freeipa=affected, |d,fedora-all/freeipa=affect
|fedora-all/gallery3=affecte |ed,fedora-all/gallery3=affe
|d,fedora-all/global=affecte |cted,fedora-all/global=affe
|d,fedora-all/graphite-web=a |cted,fedora-all/graphite-we
|ffected,fedora-all/hotot=af |b=affected,fedora-all/hotot
|fected,fedora-all/ikiwiki=a |=affected,fedora-all/ikiwik
|ffected,fedora-all/libgda=a |i=affected,fedora-all/libgd
|ffected,fedora-all/mediawik |a=affected,fedora-all/media
|i=affected,fedora-all/mojom |wiki=affected,fedora-all/mo
|ojo=affected,fedora-all/nod |jomojo=affected,fedora-all/
|ejs-should=affected,fedora- |nodejs-should=affected,fedo
|all/OpenLP=affected,fedora- |ra-all/OpenLP=affected,fedo
|all/openslides=affected,fed |ra-all/openslides=affected,
|ora-all/openteacher=affecte |fedora-all/openteacher=affe
|d,fedora-all/orbited=affect |cted,fedora-all/orbited=aff
|ed,fedora-all/perl-Mojolici |ected,fedora-all/perl-Mojol
|ous=affected,fedora-all/php |icious=affected,fedora-all/
|PgAdmin=affected,fedora-all |phpPgAdmin=affected,fedora-
|/python-backlash=affected,f |all/python-backlash=affecte
|edora-all/python-django=aff |d,fedora-all/python-django=
|ected,fedora-all/python-dja |affected,fedora-all/python-
|ngo-debug-toolbar=affected, |django-debug-toolbar=affect
|fedora-all/python-django-ty |ed,fedora-all/python-django
|pepadapp=affected,fedora-al |-typepadapp=affected,fedora
|l/python-django14=affected, |-all/python-django14=affect
|fedora-all/python-django15= |ed,fedora-all/python-django
|affected,fedora-all/python- |15=affected,fedora-all/pyth
|flask-debugtoolbar=affected |on-flask-debugtoolbar=affec
|,fedora-all/python-pebl=aff |ted,fedora-all/python-pebl=
|ected,fedora-all/python-sph |affected,fedora-all/python-
|inx=affected,fedora-all/pyt |sphinx=affected,fedora-all/
|hon-tw-jquery=affected,fedo |python-tw-jquery=affected,f
|ra-all/python-tw2-jqplugins |edora-all/python-tw2-jqplug
|-flot=affected,fedora-all/p |ins-flot=affected,fedora-al
|ython-tw2-jquery=affected,f |l/python-tw2-jquery=affecte
|edora-all/python-werkzeug=a |d,fedora-all/python-werkzeu
|ffected,fedora-all/python-X |g=affected,fedora-all/pytho
|Static-jQuery=affected,fedo |n-XStatic-jQuery=affected,f
|ra-all/python-backlash=affe |edora-all/python-backlash=a
|cted,fedora-all/python-djan |ffected,fedora-all/python-d
|go=affected,fedora-all/pyth |jango=affected,fedora-all/p
|on-sphinx=affected,fedora-a |ython-sphinx=affected,fedor
|ll/python-werkzeug=affected |a-all/python-werkzeug=affec
|,fedora-all/roundup=affecte |ted,fedora-all/roundup=affe
|d,fedora-all/rubygem-jquery |cted,fedora-all/rubygem-jqu
|-rails=affected,fedora-all/ |ery-rails=affected,fedora-a
|sagemath=affected,fedora-al |ll/sagemath=affected,fedora
|l/sparkleshare=affected,fed |-all/sparkleshare=affected,
|ora-all/spyder=affected,fed |fedora-all/spyder=affected,
|ora-all/StarCluster=affecte |fedora-all/StarCluster=affe
|d,fedora-all/sticky-notes=a |cted,fedora-all/sticky-note
|ffected,fedora-all/sugar-he |s=affected,fedora-all/sugar
|lp=affected,fedora-all/varn |-help=affected,fedora-all/v
|ish-agent=affected,fedora-a |arnish-agent=affected,fedor
|ll/webacula=affected,fedora |a-all/webacula=affected,fed
|-all/wesnoth=affected,fedor |ora-all/wesnoth=affected,fe
|a-all/why3=affected,fedora- |dora-all/why3=affected,fedo
|all/wordpress=affected,fedo |ra-all/wordpress=affected,f
|ra-all/yelp-xsl=affected,fe |edora-all/yelp-xsl=affected
|dora-all/zabbix=affected,ep |,fedora-all/zabbix=affected
|el-all/drupal7-jquery_updat |,epel-all/drupal7-jquery_up
|e=affected,epel-all/python- |date=affected,epel-all/pyth
|tw-jquery=affected,epel-all |on-tw-jquery=affected,epel-
|/python-tw2-jquery=affected |all/python-tw2-jquery=affec
|,epel-all/python-XStatic-jq |ted,epel-all/python-XStatic
|uery-ui=affected,openshift- |-jquery-ui=affected,openshi
|1/drupal6-jquery_ui-lib=new |ft-1/drupal6-jquery_ui-lib=
|,openshift-1/ruby193-rubyge |new,openshift-1/ruby193-rub
|m-jquery-rails=new,openshif |ygem-jquery-rails=new,opens
|t-enterprise-1/ruby193-ruby |hift-enterprise-1/ruby193-r
|gem-jquery-rails=new,opensh |ubygem-jquery-rails=new,ope
|ift-enterprise-2/ruby193-ru |nshift-enterprise-2/ruby193
|bygem-jquery-rails=new,rhsc |-rubygem-jquery-rails=new,r
|l-1.2/ror40-rubygem-jquery- |hscl-1.2/ror40-rubygem-jque
|rails=new,rhscl-1.2/ruby193 |ry-rails=new,rhscl-1.2/ruby
|-rubygem-jquery-rails=new,r |193-rubygem-jquery-rails=ne
|hn_satellite_6/ruby193-ruby |w,rhn_satellite_6/ruby193-r
|gem-jquery-ui-rails=new,sam |ubygem-jquery-ui-rails=new,
|-1/ruby193-rubygem-jquery-r |sam-1/ruby193-rubygem-jquer
|ails=new,cfme-5/ruby193-rub |y-rails=new,cfme-5/ruby193-
|ygem-jquery-rails=new,opens |rubygem-jquery-rails=new,op
|tack-4/ruby193-rubygem-jque |enstack-4/ruby193-rubygem-j
|ry-rails=new,openstack-fore |query-rails=new,openstack-f
|man/ruby193-rubygem-jquery- |oreman/ruby193-rubygem-jque
|ui-rails=new,rhel-6/ipa=new |ry-ui-rails=new,rhel-6/ipa=
|,rhel-6/python-sphinx=new,r |new,rhel-6/python-sphinx=ne
|hel-7/ipa=new,rhel-7/python |w,rhel-7/ipa=new,rhel-7/pyt
|-sphinx=new,rhel-7/yelp-xsl |hon-sphinx=new,rhel-7/yelp-
|=new |xsl=new
--- Comment #2 from Vasyl Kaigorodov <vkaigoro at redhat.com> ---
(In reply to leigh scott from comment #1)
> I fail to see how this affects cinnamon as it doesn't use jQuery.ui.dialog
>
> $ repoquery -q --whatprovides */jquery.ui.dialog.js
> mediawiki-0:1.23.6-1.fc20.noarch
> sagemath-notebook-0:5.12-1.fc20.x86_64
> mediawiki-0:1.21.2-2.fc20.noarch
> python-XStatic-jquery-ui-0:1.10.4.1-1.fc20.noarch
> sagemath-notebook-0:6.1.1-5.fc20.x86_64
> drupal7-jquery_update-0:2.3-2.fc20.noarch
> drupal7-jquery_update-0:2.4-1.fc20.noarch
You're right, the "affected" list contains all the packages that have
"jquery.js" embedded.
I'd not rely on repoquery too much here, since jQuery.ui.dialog.js might be
renamed, or embedded in jquery.js.
Anyways - files/usr/lib/cinnamon-settings/data/spices/jquery.js in cinnamon
does not contain vulnerable code, marked as "notaffected".
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=4UupTLnau1&a=cc_unsubscribe
More information about the perl-devel
mailing list