Bugtraq mailing list archives
[SECURITY] [DSA 2957-1] mediawiki security update
From: Thijs Kinkhorst <thijs () debian org>
Date: Thu, 12 Jun 2014 19:59:07 +0200 (CEST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2957-1 security () debian org http://www.debian.org/security/ Thijs Kinkhorst June 12, 2014 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : mediawiki CVE ID : CVE-2014-3966 Omer Iqbal discovered that Mediawiki, a wiki engine, parses invalid usernames on Special:PasswordReset as wikitext when $wgRawHtml is enabled. On such wikis this allows an unauthenticated attacker to insert malicious JavaScript, a cross site scripting attack. For the stable distribution (wheezy), this problem has been fixed in version 1:1.19.16+dfsg-0+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 1:1.19.16+dfsg-1. We recommend that you upgrade your mediawiki packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce () lists debian org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTmepHAAoJEFb2GnlAHawEavwIAJkzlhN+jnjfD9kg3xyV5sZm lAZ2Tlwh4KzR9EzF/m3QWPgIRfU8PlUH64tevqDAH4Koh7nhFIPspszcxMYyN5pB O2vXxVavjE57lsmJ0BJC5xfp+Tj4vcnVha59oqChSGV4ag3m4eT2kEi3Yg/39Lrr LtlhfFjGl5fi+p8T0mHZW+imL2GSH8j00EbYLeXvpxDVqdzBc5Rs+niplpV8+jj8 QVk24RF8DmEfSL99kUytaETxNkondKco6qLa0dNGkflairzvDfsoggOctFMpoqfg bEHf1lrG5d/MFUAlEloqewancu9vw3adZan7GcWQF9FEIWWpgvJvHNKeoX15Fy4= =unYD -----END PGP SIGNATURE-----
Current thread:
- [SECURITY] [DSA 2957-1] mediawiki security update Thijs Kinkhorst (Jun 13)