oss-sec mailing list archives

Re: Mediawiki CVE request ( was Fw: [MediaWiki-announce] MediaWiki Security Release: 1.20.5 and 1.19.6)

From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 01 May 2013 12:00:48 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/01/2013 01:42 AM, Hanno Böck wrote:

Two CVEs for mediawiki please.


Thanks, Mediawiki guys, please feel free to request these in advance.

http://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html

Begin forwarded message:

Date: Tue, 30 Apr 2013 13:14:43 -0700 From: Chris Steipp
<csteipp () wikimedia org> To: mediawiki-announce () lists wikimedia org,
MediaWiki-l <mediawiki-l () lists wikimedia org>,      Wikimedia
developers <wikitech-l () lists wikimedia org> Subject:
[MediaWiki-announce] MediaWiki Security Release: 1.20.5 and 1.19.6


I would like to announce the release of MediaWiki 1.20.5 and
1.19.6. These releases fix 2 security related issues that could
affect users of MediaWiki. Download links are given at the end of
this email.

* Jan Schejbal / Hatforce.com reported that SVG script filtering
could be bypassed for Chrome and Firefox clients by using an
encoding that MediaWiki understood, but these browsers interpreted
as UTF-8. <https://bugzilla.wikimedia.org/show_bug.cgi?id=47304>


Please use CVE-2013-2031 for this issue.

* Internal review discovered that extensions were not given the 
opportunity to disable a password reset, which could lead to 
circumvention of two-factor authentication. 
<https://bugzilla.wikimedia.org/show_bug.cgi?id=46590>


Please use CVE-2013-2032  for this issue.





- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRgVhQAAoJEBYNRVNeJnmTtScP/A+qFEv4P2YxTiuEkaO+GStY
7H0MlvJAF4eO7/Pq1bTthbuSWmYIbxFp2E/aZDb5LVk0qS6QgDC/IyQrKHs/wOWz
DQhbXZ18bQ0QZHxjXjqZ/McE/x3kkCZbAkBI5e9ngEhjdq4/39mfg2DPrzFInj7w
Sh2Nn6Bs6fMx+18LEOlLgUVSscHwgmv4cVMV/ST3bSagV4GCqQCoAcDhtoPrX/sb
bOKQcHAGup/q//WZyrgLzNs4S0sHlAx9L5Z0qRErpYrfGMObvvLL/+5UHOFFzD/T
/IyaWL+em3UvvfdnePOsVhTgnL9oXoo2yAu3Fl7SZoPuHBYXWuBmcHamYkmaP2xl
QLGVbZe0DDYA2ubPWThXltxNpCueu6HUMSOfqye1mMNWpWiaojkr4zeucTfO47re
+Wg1Doo18CIv/RsCimb5VggKrk/QCopC1yNWYaXRxeM3SEGuDOAhB5OhVqst4Lnf
VUWcaK4tDQIwPfh3ooarvgIWoaVcFeauIGlZ0Sf5cE3x5WhKb/D3LDdRdYU63Jwl
FinbRJ6Kk+6DeZJe9d+rnaS2Z67EQXH2i7uP5lk6WWm9ngzU244phUy9Lgjx2szw
yaOiNuhzMHlwVTEkc5/IC96vVU10Dqq3RbEQ2vLP5OraXbZlUP5i4NOS8Hn20aVO
vasVO7cSxySLbKc3cq8P
=WPVE
-----END PGP SIGNATURE-----

Current thread:

Mediawiki CVE request ( was Fw: [MediaWiki-announce] MediaWiki Security Release: 1.20.5 and 1.19.6) Hanno Böck (May 01)
- Re: Mediawiki CVE request ( was Fw: [MediaWiki-announce] MediaWiki Security Release: 1.20.5 and 1.19.6) Kurt Seifried (May 01)