Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20141221123950.GA14937@eldamar.local>
Date: Sun, 21 Dec 2014 13:39:50 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Cc: CVE Assignments MITRE <cve-assign@...re.org>
Subject: CVE Request: Mediawiki security releases 1.24.1, 1.23.8, 1.22.15 and
 1.19.23

Hi

New security releases for Mediawiki (1.24.1, 1.23.8, 1.22.15 and 1.19.23) were
announced:

https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-December/000173.html

> == Security fixes in 1.24.1, 1.23.8, 1.22.15 and 1.19.23 ==
> * (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML,
>   which could lead to xss. Permission to edit MediaWiki namespace is required
>   to exploit this.
> * (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in
>   $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as
>   part of its name.

Could CVE's be assigned for these two issues?

References:

 * https://phabricator.wikimedia.org/T76686 (not accessible atm)
 * https://phabricator.wikimedia.org/T77028 (seem to be only affecting
   1.20 and above)
 * https://bugzilla.redhat.com/show_bug.cgi?id=1175828

Regards,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.