Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 14 Aug 2014 04:12:40 -0400 (EDT)
Subject: Re: Possible CVE Request: MediaWiki Security and Maintenance Releases: 1.19.18, 1.22.9 and 1.23.2

Hash: SHA1

> * (bug 68187) SECURITY: Prepend jsonp callback with comment.
> ** This was hardening against CVE-2014-4671, I don't think CVEs are
> being assigned for these?

Use CVE-2014-5241.

[ Related discussion:

  > From: Salvatore Bonaccorso <>
  > Date: Sat, 2 Aug 2014 07:47:56 +0200

  > There was at last CVE-2014-1546 assigned in bugzilla for this
  > ( So a
  > CVE might also be assigned for this.

  Yes, a product with an affected JSONP endpoint can have its own
  individual CVE ID. It is also possible that the vendor of a
  JSONP endpoint has determined that a successful attack is entirely
  the fault of the SWF parser, and does not want to have a CVE ID.
  This might, hypothetically, occur if the JSONP response from a
  product is always noncompliant SWF data, but some SWF parsers accept
  it anyway. ]

> * (bug 66608) SECURITY: Fix for XSS issue in bug 66608: Generate the
> URL used for loading a new page in Javascript,instead of relying on
> the URL in the link that has been clicked.
> ** Standard Dom XSS. Credit goes to Michael M.

Use CVE-2014-5242.

> * (bug 65778) SECURITY: Copy prevent-clickjacking between OutputPage
> and ParserOutput.
> ** This probably should get a CVE, since downstreams will all want to
> patch this. We prevent iframing certain pages to prevent clickjacking
> / redressing attacks, but when those pages were transcluded into
> non-protected pages, the resulting page could be iframed. Credit goes
> to Kevin Israel.

Use CVE-2014-5243.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.