Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 31 Jul 2014 13:17:33 -0700
From: Chris Steipp <csteipp@...imedia.org>
To: oss-security@...ts.openwall.com
Cc: CVE Assignments MITRE <cve-assign@...re.org>
Subject: Re: Possible CVE Request: MediaWiki Security and
 Maintenance Releases: 1.19.18, 1.22.9 and 1.23.2

On Thu, Jul 31, 2014 at 12:35 PM, Salvatore Bonaccorso
<carnil@...ian.org> wrote:
> Hi
>
> New Security and maintenance releases for mediawiki (1.19.18, 1.22.9
> and 1.23.2) were released:
>
> http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-July/000157.html
>
> From the announcement, three SECURITY tagged bugs were fixed.
>
> Are CVE assignments for those already been requested, or if not, could
> you assign CVEs for these?

None have been requested or assigned.

* (bug 68187) SECURITY: Prepend jsonp callback with comment.
** This was hardening against CVE-2014-4671, I don't think CVEs are
being assigned for these?

* (bug 66608) SECURITY: Fix for XSS issue in bug 66608: Generate the
URL used for loading a new page in Javascript,instead of relying on
the URL in the link that has been clicked.
** Standard Dom XSS. Credit goes to Michael M.

* (bug 65778) SECURITY: Copy prevent-clickjacking between OutputPage
and ParserOutput.
** This probably should get a CVE, since downstreams will all want to
patch this. We prevent iframing certain pages to prevent clickjacking
/ redressing attacks, but when those pages were transcluded into
non-protected pages, the resulting page could be iframed. Credit goes
to Kevin Israel.


>
> Regards,
> Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ