jQuery UI 1.10.0 release fixes XSS issue [1] in jQuery Tooltip widget. From [1]: ... WIDGETS Tooltip Fixed: XSS vulnerability in default content. (#8861, f285440) ... The issue was initially reported in [2], and then actually fixed in [3] by commit [4]. [1]: http://jqueryui.com/changelog/1.10.0/ [2]: http://bugs.jqueryui.com/ticket/8859 [3]: http://bugs.jqueryui.com/ticket/8861 [4]: https://github.com/jquery/jquery-ui/commit/f2854408cce7e4b7fc6bf8676761904af9c96bde -- Note: whiteboard lists quite some packages, which are known to have jQuery embedded.
Regarding products that ship rubygem-jquery-ui-rails (or ruby193-) such as Satellite 6 or OpenStack, versions 4.0.0 or higher of jquery-ui-rails contain jquery-ui 1.10.0, so should not be vulnerable if newer than 4.0.0. jquery-ui-rails is essentially a redistribution of jquery-ui and has a version scheme of its own: https://github.com/joliss/jquery-ui-rails/blob/master/VERSIONS.md
I don't think any of the packages I maintain are listed here ...
(In reply to Mukundan Ragavan from comment #4) > I don't think any of the packages I maintain are listed here ... You got CCed here because you own fityk, which was first listed as affected, and is now listed an unaffected.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:0442 https://rhn.redhat.com/errata/RHSA-2015-0442.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:1462 https://rhn.redhat.com/errata/RHSA-2015-1462.html