oss-sec mailing list archives
Re: MediaWiki releases 1.19.17, 1.21.11, 1.22.8 and 1.23.1
From: Hanno Böck <hanno () hboeck de>
Date: Thu, 26 Jun 2014 19:32:38 +0200
On Wed, 25 Jun 2014 17:03:33 -0700 Chris Steipp <csteipp () wikimedia org> wrote:
Since the bug is public now (http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-June/000155.html), I didn't get a CVE in advance because I thought this was likely a hardening fix. We couldn't find a way to exploit it to actually track a user on our site. However, we kept it private until we released the patch, since we weren't sure it couldn't be exploited on a wiki with non-standard image handling.
This is probably another very fundamental question of CVE assignment, but IMHO: "We're not sure if this can be exploited" is certainly worth a CVE. I'd suggest that one gets assigned. -- Hanno Böck http://hboeck.de/ mail/jabber: hanno () hboeck de GPG: BBB51E42
Attachment:
signature.asc
Description:
Current thread:
- MediaWiki releases 1.19.17, 1.21.11, 1.22.8 and 1.23.1 Henri Salo (Jun 25)
- Re: MediaWiki releases 1.19.17, 1.21.11, 1.22.8 and 1.23.1 Chris Steipp (Jun 25)
- Re: MediaWiki releases 1.19.17, 1.21.11, 1.22.8 and 1.23.1 Hanno Böck (Jun 26)
- Re: MediaWiki releases 1.19.17, 1.21.11, 1.22.8 and 1.23.1 cve-assign (Jun 27)
- Re: MediaWiki releases 1.19.17, 1.21.11, 1.22.8 and 1.23.1 Chris Steipp (Jun 25)