Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.64.1501031731400.1923@beijing.mitre.org>
Date: Sat, 3 Jan 2015 17:37:48 -0500 (EST)
From: cve-assign@...re.org
To: Salvatore Bonaccorso <carnil@...ian.org>
cc: oss-security@...ts.openwall.com,
        CVE Assignments MITRE <cve-assign@...re.org>
Subject: Re: CVE Request: Mediawiki security releases 1.24.1,
 1.23.8, 1.22.15 and 1.19.23


On Tue, 30 Dec 2014, Salvatore Bonaccorso wrote:

> Hi,
>
> On Sun, Dec 21, 2014 at 01:39:50PM +0100, Salvatore Bonaccorso wrote:
>> Hi
>>
>> New security releases for Mediawiki (1.24.1, 1.23.8, 1.22.15 and 1.19.23) were
>> announced:
>>
>> https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-December/000173.html
>>
>>> == Security fixes in 1.24.1, 1.23.8, 1.22.15 and 1.19.23 ==
>>> * (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML,
>>>   which could lead to xss. Permission to edit MediaWiki namespace is required
>>>   to exploit this.
>>> * (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in
>>>   $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as
>>>   part of its name.
>>
>> Could CVE's be assigned for these two issues?

CVE-2014-9475 - bug T76686

CVE-2014-9476 - bug T77028

The same advisory also lists multiple issues in extensions:

CVE-2014-9477 - bug T77624 / Extension:Listings

CVE-2014-9478 - bug T73111 / Extension:ExpandTemplates

CVE-2014-9479 - bug T76195 / Extension:TemplateSandbox

CVE-2014-9480 - bug T69180 / Extension:Hovercards

CVE-2014-9481 - bug T73167 / Extension:Scribunto

CVE-2014-9487 [sic] - bug T71209 / Extension:TimedMediaHandler

---

CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.