Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 14 Aug 2014 04:12:40 -0400 (EDT)
From: cve-assign@...re.org
To: csteipp@...imedia.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Possible CVE Request: MediaWiki Security and Maintenance Releases: 1.19.18, 1.22.9 and 1.23.2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> * (bug 68187) SECURITY: Prepend jsonp callback with comment.
> ** This was hardening against CVE-2014-4671, I don't think CVEs are
> being assigned for these?

Use CVE-2014-5241.

[ Related discussion:

  > From: Salvatore Bonaccorso <carnil@...ian.org>
  > Date: Sat, 2 Aug 2014 07:47:56 +0200

  > There was at last CVE-2014-1546 assigned in bugzilla for this
  > (https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-1546). So a
  > CVE might also be assigned for this.

  Yes, a product with an affected JSONP endpoint can have its own
  individual CVE ID. It is also possible that the vendor of a
  JSONP endpoint has determined that a successful attack is entirely
  the fault of the SWF parser, and does not want to have a CVE ID.
  This might, hypothetically, occur if the JSONP response from a
  product is always noncompliant SWF data, but some SWF parsers accept
  it anyway. ]


> * (bug 66608) SECURITY: Fix for XSS issue in bug 66608: Generate the
> URL used for loading a new page in Javascript,instead of relying on
> the URL in the link that has been clicked.
> ** Standard Dom XSS. Credit goes to Michael M.

Use CVE-2014-5242.


> * (bug 65778) SECURITY: Copy prevent-clickjacking between OutputPage
> and ParserOutput.
> ** This probably should get a CVE, since downstreams will all want to
> patch this. We prevent iframing certain pages to prevent clickjacking
> / redressing attacks, but when those pages were transcluded into
> non-protected pages, the resulting page could be iframed. Credit goes
> to Kevin Israel.

Use CVE-2014-5243.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJT7G8NAAoJEKllVAevmvmsZagH/3tDEp3tiZaGWLs8CG4Ul2vg
Vgak1YxgAkTe7zQkl5dwTYjSVPUFenV7ig+8HokEepK3gf5tO1hQw7tgAshyR4cz
MsOCq4VJ3YD8/KwS1GNJPoarMlbbAQrNztudD5Rz3zBywMHiOgq2ZWhYro7cQhKD
68+jEunzEmFwOsdHlMXKNKO7aFlyheX7LcaTyALPRwKBrtP2NWXLqDLInK44CX4x
CfvRUOQdjFBbNVJJEsubm5y+plqTqHtHQC5DcG8nihlYrCDvG4bmB6pIy/CEHQQU
4k0IpSBs2KLbLzWG5073hAfm0FbjkJNL8MJQIXRPfmIZevZIwz74i0vDgM1bjuc=
=L99h
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.