Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 14 Aug 2014 04:12:40 -0400 (EDT)
From: cve-assign@...re.org
To: csteipp@...imedia.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Possible CVE Request: MediaWiki Security and Maintenance Releases: 1.19.18, 1.22.9 and 1.23.2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> * (bug 68187) SECURITY: Prepend jsonp callback with comment.
> ** This was hardening against CVE-2014-4671, I don't think CVEs are
> being assigned for these?

Use CVE-2014-5241.

[ Related discussion:

  > From: Salvatore Bonaccorso <carnil@...ian.org>
  > Date: Sat, 2 Aug 2014 07:47:56 +0200

  > There was at last CVE-2014-1546 assigned in bugzilla for this
  > (https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-1546). So a
  > CVE might also be assigned for this.

  Yes, a product with an affected JSONP endpoint can have its own
  individual CVE ID. It is also possible that the vendor of a
  JSONP endpoint has determined that a successful attack is entirely
  the fault of the SWF parser, and does not want to have a CVE ID.
  This might, hypothetically, occur if the JSONP response from a
  product is always noncompliant SWF data, but some SWF parsers accept
  it anyway. ]


> * (bug 66608) SECURITY: Fix for XSS issue in bug 66608: Generate the
> URL used for loading a new page in Javascript,instead of relying on
> the URL in the link that has been clicked.
> ** Standard Dom XSS. Credit goes to Michael M.

Use CVE-2014-5242.


> * (bug 65778) SECURITY: Copy prevent-clickjacking between OutputPage
> and ParserOutput.
> ** This probably should get a CVE, since downstreams will all want to
> patch this. We prevent iframing certain pages to prevent clickjacking
> / redressing attacks, but when those pages were transcluded into
> non-protected pages, the resulting page could be iframed. Credit goes
> to Kevin Israel.

Use CVE-2014-5243.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJT7G8NAAoJEKllVAevmvmsZagH/3tDEp3tiZaGWLs8CG4Ul2vg
Vgak1YxgAkTe7zQkl5dwTYjSVPUFenV7ig+8HokEepK3gf5tO1hQw7tgAshyR4cz
MsOCq4VJ3YD8/KwS1GNJPoarMlbbAQrNztudD5Rz3zBywMHiOgq2ZWhYro7cQhKD
68+jEunzEmFwOsdHlMXKNKO7aFlyheX7LcaTyALPRwKBrtP2NWXLqDLInK44CX4x
CfvRUOQdjFBbNVJJEsubm5y+plqTqHtHQC5DcG8nihlYrCDvG4bmB6pIy/CEHQQU
4k0IpSBs2KLbLzWG5073hAfm0FbjkJNL8MJQIXRPfmIZevZIwz74i0vDgM1bjuc=
=L99h
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ