Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 28 Feb 2014 18:25:22 +1100
From: Murray McAllister <>
Subject: CVE requests: MediaWiki 1.22.3, 1.21.6 and 1.19.12 release

Good morning,

As noted in a few 
security bugs are fixed in the 1.22.3, 1.21.6 and 1.19.12 MediaWiki release:

Can CVEs be assigned to the following (if they are all CVE worthy)?
The MediaWiki 1.22.3, 1.21.6 and 1.19.12 release announcement notes:

* (bug 60771) SECURITY: Disallow uploading SVG files using non-whitelisted
   namespaces. Also disallow iframe elements. User will get an error
   including the namespace name if they use a non- whitelisted namespace.

An attacker could perform cross-site scripting attacks by uploading 
crafted SVG images.

The versions of MediaWiki in Fedora and EPEL 6 are affected. I have not 
tested EPEL 5.