Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 28 Feb 2014 18:25:22 +1100
From: Murray McAllister <mmcallis@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE requests: MediaWiki 1.22.3, 1.21.6 and 1.19.12 release

Good morning,

As noted in https://bugs.gentoo.org/show_bug.cgi?id=503012 a few 
security bugs are fixed in the 1.22.3, 1.21.6 and 1.19.12 MediaWiki release:

http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-February/000141.html

Can CVEs be assigned to the following (if they are all CVE worthy)?

https://bugzilla.redhat.com/show_bug.cgi?id=1071135
The MediaWiki 1.22.3, 1.21.6 and 1.19.12 release announcement notes:

* (bug 60771) SECURITY: Disallow uploading SVG files using non-whitelisted
   namespaces. Also disallow iframe elements. User will get an error
   including the namespace name if they use a non- whitelisted namespace.

An attacker could perform cross-site scripting attacks by uploading 
crafted SVG images.

The versions of MediaWiki in Fedora and EPEL 6 are affected. I have not 
tested EPEL 5.

References:
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-February/000141.html
https://bugzilla.wikimedia.org/show_bug.cgi?id=60771
https://gerrit.wikimedia.org/r/#/q