oss-sec mailing list archives
Re: Possible CVE Request: MediaWiki Security and Maintenance Releases: 1.19.18, 1.22.9 and 1.23.2
From: cve-assign () mitre org
Date: Thu, 14 Aug 2014 04:12:40 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
* (bug 68187) SECURITY: Prepend jsonp callback with comment. ** This was hardening against CVE-2014-4671, I don't think CVEs are being assigned for these?
Use CVE-2014-5241. [ Related discussion: > From: Salvatore Bonaccorso <carnil () debian org> > Date: Sat, 2 Aug 2014 07:47:56 +0200 > There was at last CVE-2014-1546 assigned in bugzilla for this > (https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-1546). So a > CVE might also be assigned for this. Yes, a product with an affected JSONP endpoint can have its own individual CVE ID. It is also possible that the vendor of a JSONP endpoint has determined that a successful attack is entirely the fault of the SWF parser, and does not want to have a CVE ID. This might, hypothetically, occur if the JSONP response from a product is always noncompliant SWF data, but some SWF parsers accept it anyway. ]
* (bug 66608) SECURITY: Fix for XSS issue in bug 66608: Generate the URL used for loading a new page in Javascript,instead of relying on the URL in the link that has been clicked. ** Standard Dom XSS. Credit goes to Michael M.
Use CVE-2014-5242.
* (bug 65778) SECURITY: Copy prevent-clickjacking between OutputPage and ParserOutput. ** This probably should get a CVE, since downstreams will all want to patch this. We prevent iframing certain pages to prevent clickjacking / redressing attacks, but when those pages were transcluded into non-protected pages, the resulting page could be iframed. Credit goes to Kevin Israel.
Use CVE-2014-5243. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJT7G8NAAoJEKllVAevmvmsZagH/3tDEp3tiZaGWLs8CG4Ul2vg Vgak1YxgAkTe7zQkl5dwTYjSVPUFenV7ig+8HokEepK3gf5tO1hQw7tgAshyR4cz MsOCq4VJ3YD8/KwS1GNJPoarMlbbAQrNztudD5Rz3zBywMHiOgq2ZWhYro7cQhKD 68+jEunzEmFwOsdHlMXKNKO7aFlyheX7LcaTyALPRwKBrtP2NWXLqDLInK44CX4x CfvRUOQdjFBbNVJJEsubm5y+plqTqHtHQC5DcG8nihlYrCDvG4bmB6pIy/CEHQQU 4k0IpSBs2KLbLzWG5073hAfm0FbjkJNL8MJQIXRPfmIZevZIwz74i0vDgM1bjuc= =L99h -----END PGP SIGNATURE-----
Current thread:
- Possible CVE Request: MediaWiki Security and Maintenance Releases: 1.19.18, 1.22.9 and 1.23.2 Salvatore Bonaccorso (Jul 31)
- Re: Possible CVE Request: MediaWiki Security and Maintenance Releases: 1.19.18, 1.22.9 and 1.23.2 Chris Steipp (Jul 31)
- Re: Possible CVE Request: MediaWiki Security and Maintenance Releases: 1.19.18, 1.22.9 and 1.23.2 Salvatore Bonaccorso (Aug 01)
- Re: Possible CVE Request: MediaWiki Security and Maintenance Releases: 1.19.18, 1.22.9 and 1.23.2 cve-assign (Aug 14)
- Re: Possible CVE Request: MediaWiki Security and Maintenance Releases: 1.19.18, 1.22.9 and 1.23.2 Chris Steipp (Jul 31)