[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE Request: Mediawiki security releases 1.24.1, 1.23.8, 1.22.15 and 1.19.23
From: Salvatore Bonaccorso <carnil () debian ! org>
Date: 2014-12-30 4:25:38
Message-ID: 20141230042538.GA26543 () eldamar ! local
[Download RAW message or body]
Hi,
On Sun, Dec 21, 2014 at 01:39:50PM +0100, Salvatore Bonaccorso wrote:
> Hi
>
> New security releases for Mediawiki (1.24.1, 1.23.8, 1.22.15 and 1.19.23) were
> announced:
>
> https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-December/000173.html
>
> > == Security fixes in 1.24.1, 1.23.8, 1.22.15 and 1.19.23 ==
> > * (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML,
> > which could lead to xss. Permission to edit MediaWiki namespace is required
> > to exploit this.
> > * (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in
> > $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as
> > part of its name.
>
> Could CVE's be assigned for these two issues?
>
> References:
>
> * https://phabricator.wikimedia.org/T76686 (not accessible atm)
> * https://phabricator.wikimedia.org/T77028 (seem to be only affecting
> 1.20 and above)
> * https://bugzilla.redhat.com/show_bug.cgi?id=1175828
Could CVEs be assigned to reference these mediawiki issues?
Regards,
Salvatore
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic