[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request: Mediawiki security releases 1.24.1, 1.23.8, 1.22.15 and 1.19.23
From:       Salvatore Bonaccorso <carnil () debian ! org>
Date:       2014-12-30 4:25:38
Message-ID: 20141230042538.GA26543 () eldamar ! local
[Download RAW message or body]

Hi,

On Sun, Dec 21, 2014 at 01:39:50PM +0100, Salvatore Bonaccorso wrote:
> Hi
> 
> New security releases for Mediawiki (1.24.1, 1.23.8, 1.22.15 and 1.19.23) were
> announced:
> 
> https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-December/000173.html
> 
> > == Security fixes in 1.24.1, 1.23.8, 1.22.15 and 1.19.23 ==
> > * (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML,
> >   which could lead to xss. Permission to edit MediaWiki namespace is required
> >   to exploit this.
> > * (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in
> >   $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as
> >   part of its name.
> 
> Could CVE's be assigned for these two issues?
> 
> References:
> 
>  * https://phabricator.wikimedia.org/T76686 (not accessible atm)
>  * https://phabricator.wikimedia.org/T77028 (seem to be only affecting
>    1.20 and above)
>  * https://bugzilla.redhat.com/show_bug.cgi?id=1175828

Could CVEs be assigned to reference these mediawiki issues?

Regards,
Salvatore
[prev in list] [next in list] [prev in thread] [next in thread]