oss-sec mailing list archives
Re: Mediawiki CVE request ( was Fw: [MediaWiki-announce] MediaWiki Security Release: 1.20.5 and 1.19.6)
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 01 May 2013 12:00:48 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/01/2013 01:42 AM, Hanno Böck wrote:
Two CVEs for mediawiki please.
Thanks, Mediawiki guys, please feel free to request these in advance. http://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html
Begin forwarded message: Date: Tue, 30 Apr 2013 13:14:43 -0700 From: Chris Steipp <csteipp () wikimedia org> To: mediawiki-announce () lists wikimedia org, MediaWiki-l <mediawiki-l () lists wikimedia org>, Wikimedia developers <wikitech-l () lists wikimedia org> Subject: [MediaWiki-announce] MediaWiki Security Release: 1.20.5 and 1.19.6 I would like to announce the release of MediaWiki 1.20.5 and 1.19.6. These releases fix 2 security related issues that could affect users of MediaWiki. Download links are given at the end of this email. * Jan Schejbal / Hatforce.com reported that SVG script filtering could be bypassed for Chrome and Firefox clients by using an encoding that MediaWiki understood, but these browsers interpreted as UTF-8. <https://bugzilla.wikimedia.org/show_bug.cgi?id=47304>
Please use CVE-2013-2031 for this issue.
* Internal review discovered that extensions were not given the opportunity to disable a password reset, which could lead to circumvention of two-factor authentication. <https://bugzilla.wikimedia.org/show_bug.cgi?id=46590>
Please use CVE-2013-2032 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRgVhQAAoJEBYNRVNeJnmTtScP/A+qFEv4P2YxTiuEkaO+GStY 7H0MlvJAF4eO7/Pq1bTthbuSWmYIbxFp2E/aZDb5LVk0qS6QgDC/IyQrKHs/wOWz DQhbXZ18bQ0QZHxjXjqZ/McE/x3kkCZbAkBI5e9ngEhjdq4/39mfg2DPrzFInj7w Sh2Nn6Bs6fMx+18LEOlLgUVSscHwgmv4cVMV/ST3bSagV4GCqQCoAcDhtoPrX/sb bOKQcHAGup/q//WZyrgLzNs4S0sHlAx9L5Z0qRErpYrfGMObvvLL/+5UHOFFzD/T /IyaWL+em3UvvfdnePOsVhTgnL9oXoo2yAu3Fl7SZoPuHBYXWuBmcHamYkmaP2xl QLGVbZe0DDYA2ubPWThXltxNpCueu6HUMSOfqye1mMNWpWiaojkr4zeucTfO47re +Wg1Doo18CIv/RsCimb5VggKrk/QCopC1yNWYaXRxeM3SEGuDOAhB5OhVqst4Lnf VUWcaK4tDQIwPfh3ooarvgIWoaVcFeauIGlZ0Sf5cE3x5WhKb/D3LDdRdYU63Jwl FinbRJ6Kk+6DeZJe9d+rnaS2Z67EQXH2i7uP5lk6WWm9ngzU244phUy9Lgjx2szw yaOiNuhzMHlwVTEkc5/IC96vVU10Dqq3RbEQ2vLP5OraXbZlUP5i4NOS8Hn20aVO vasVO7cSxySLbKc3cq8P =WPVE -----END PGP SIGNATURE-----
Current thread:
- Mediawiki CVE request ( was Fw: [MediaWiki-announce] MediaWiki Security Release: 1.20.5 and 1.19.6) Hanno Böck (May 01)
- Re: Mediawiki CVE request ( was Fw: [MediaWiki-announce] MediaWiki Security Release: 1.20.5 and 1.19.6) Kurt Seifried (May 01)