Date: Tue, 29 Nov 2011 14:23:30 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Hanno Böck <hanno@...eck.de> Subject: Re: CVE request: mediawiki before 1.17.1 On 11/29/2011 03:12 AM, Hanno Böck wrote: > http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-November/000104.html > > From announce mail: > > ------------- > I would like to announce the release of MediaWiki 1.17.1. Two security > issues were discovered. > > Alexandre Emsenhuber discovered an issue where page titles on private > wikis could be exposed bypassing different page ids to index.php. In the > case of the user not having correct permissions, they will now be > redirected to Special:BadTitle. > > For more details, see > https://bugzilla.wikimedia.org/show_bug.cgi?id=32276 Please use CVE-2011-4360 for this issue. > The second issue was found by Tim Starling, who discovered that > action=ajax requests were dispatched to the relevant function without > any read permission checks being done. This could have led to data > leakage on private wikis. > > For more details, see > https://bugzilla.wikimedia.org/show_bug.cgi?id=32616 Please use CVE-2011-4361 for this issue. > ------------------------ > > Please assign two CVEs. > -- -Kurt Seifried / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.