Date: Wed, 25 Jun 2014 17:03:33 -0700 From: Chris Steipp <csteipp@...imedia.org> To: oss-security@...ts.openwall.com Subject: Re: MediaWiki releases 1.19.17, 1.21.11, 1.22.8 and 1.23.1 Since the bug is public now (http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-June/000155.html), I didn't get a CVE in advance because I thought this was likely a hardening fix. We couldn't find a way to exploit it to actually track a user on our site. However, we kept it private until we released the patch, since we weren't sure it couldn't be exploited on a wiki with non-standard image handling. On Wed, Jun 25, 2014 at 4:00 AM, Henri Salo <henri@...v.fi> wrote: > http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-June/000154.html > > """ > this is a notice that on Wednesday, June 25th, between 20:00-22:00 UTC we will > release security and maintenance updates for all current and supported branches > of the MediaWiki software. Downloads and patches will be available at that time. > """ > > I'm not sure if those vulnerabilities already have CVEs. I asked from Markus G. > > Also please note End of lifetime announcement for MediaWiki 1.21 > http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-June/000153.html > > --- > Henri Salo
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ