Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 14 Aug 2014 04:12:40 -0400 (EDT)
Subject: Re: Possible CVE Request: MediaWiki Security and Maintenance Releases: 1.19.18, 1.22.9 and 1.23.2

Hash: SHA1

> * (bug 68187) SECURITY: Prepend jsonp callback with comment.
> ** This was hardening against CVE-2014-4671, I don't think CVEs are
> being assigned for these?

Use CVE-2014-5241.

[ Related discussion:

  > From: Salvatore Bonaccorso <>
  > Date: Sat, 2 Aug 2014 07:47:56 +0200

  > There was at last CVE-2014-1546 assigned in bugzilla for this
  > ( So a
  > CVE might also be assigned for this.

  Yes, a product with an affected JSONP endpoint can have its own
  individual CVE ID. It is also possible that the vendor of a
  JSONP endpoint has determined that a successful attack is entirely
  the fault of the SWF parser, and does not want to have a CVE ID.
  This might, hypothetically, occur if the JSONP response from a
  product is always noncompliant SWF data, but some SWF parsers accept
  it anyway. ]

> * (bug 66608) SECURITY: Fix for XSS issue in bug 66608: Generate the
> URL used for loading a new page in Javascript,instead of relying on
> the URL in the link that has been clicked.
> ** Standard Dom XSS. Credit goes to Michael M.

Use CVE-2014-5242.

> * (bug 65778) SECURITY: Copy prevent-clickjacking between OutputPage
> and ParserOutput.
> ** This probably should get a CVE, since downstreams will all want to
> patch this. We prevent iframing certain pages to prevent clickjacking
> / redressing attacks, but when those pages were transcluded into
> non-protected pages, the resulting page could be iframed. Credit goes
> to Kevin Israel.

Use CVE-2014-5243.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ