Date: Sat, 3 Jan 2015 17:37:48 -0500 (EST) From: cve-assign@...re.org To: Salvatore Bonaccorso <carnil@...ian.org> cc: oss-security@...ts.openwall.com, CVE Assignments MITRE <cve-assign@...re.org> Subject: Re: CVE Request: Mediawiki security releases 1.24.1, 1.23.8, 1.22.15 and 1.19.23 On Tue, 30 Dec 2014, Salvatore Bonaccorso wrote: > Hi, > > On Sun, Dec 21, 2014 at 01:39:50PM +0100, Salvatore Bonaccorso wrote: >> Hi >> >> New security releases for Mediawiki (1.24.1, 1.23.8, 1.22.15 and 1.19.23) were >> announced: >> >> https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-December/000173.html >> >>> == Security fixes in 1.24.1, 1.23.8, 1.22.15 and 1.19.23 == >>> * (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, >>> which could lead to xss. Permission to edit MediaWiki namespace is required >>> to exploit this. >>> * (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in >>> $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as >>> part of its name. >> >> Could CVE's be assigned for these two issues? CVE-2014-9475 - bug T76686 CVE-2014-9476 - bug T77028 The same advisory also lists multiple issues in extensions: CVE-2014-9477 - bug T77624 / Extension:Listings CVE-2014-9478 - bug T73111 / Extension:ExpandTemplates CVE-2014-9479 - bug T76195 / Extension:TemplateSandbox CVE-2014-9480 - bug T69180 / Extension:Hovercards CVE-2014-9481 - bug T73167 / Extension:Scribunto CVE-2014-9487 [sic] - bug T71209 / Extension:TimedMediaHandler --- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.