oss-sec mailing list archives

CVE Request -- MediaWiki - v1.15.2

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Tue, 09 Mar 2010 21:46:31 +0100

Hi Steve, vendors,

  MediaWiki upstream has released latest v1.15.2 version:
    [1] http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-March/000088.html

  fixing two security issues (from upstream advisory):
  a, a CSS validation issue was discovered which allows editors to display
     external images in wiki pages.
  b, a data leakage vulnerability was discovered in thumb.php which affects
     wikis which restrict access to private files using img_auth.php, or
     some similar scheme.

References:
  [2] http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-March/000088.html
  [3] http://secunia.com/advisories/38856/
  [4] http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.2.patch.gz

Could you allocate CVE ids for these?

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Current thread:

CVE Request -- MediaWiki - v1.15.2 Jan Lieskovsky (Mar 09)
- Re: CVE Request -- MediaWiki - v1.15.2 Nico Golde (Mar 16)
- Re: CVE Request -- MediaWiki - v1.15.2 Henri Salo (Mar 23)
- Re: CVE Request -- MediaWiki - v1.15.2 Steven M. Christey (Mar 30)