Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 30 Dec 2014 05:25:38 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Cc: CVE Assignments MITRE <cve-assign@...re.org>
Subject: Re: CVE Request: Mediawiki security releases 1.24.1,
 1.23.8, 1.22.15 and 1.19.23

Hi,

On Sun, Dec 21, 2014 at 01:39:50PM +0100, Salvatore Bonaccorso wrote:
> Hi
> 
> New security releases for Mediawiki (1.24.1, 1.23.8, 1.22.15 and 1.19.23) were
> announced:
> 
> https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-December/000173.html
> 
> > == Security fixes in 1.24.1, 1.23.8, 1.22.15 and 1.19.23 ==
> > * (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML,
> >   which could lead to xss. Permission to edit MediaWiki namespace is required
> >   to exploit this.
> > * (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in
> >   $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as
> >   part of its name.
> 
> Could CVE's be assigned for these two issues?
> 
> References:
> 
>  * https://phabricator.wikimedia.org/T76686 (not accessible atm)
>  * https://phabricator.wikimedia.org/T77028 (seem to be only affecting
>    1.20 and above)
>  * https://bugzilla.redhat.com/show_bug.cgi?id=1175828

Could CVEs be assigned to reference these mediawiki issues?

Regards,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.