oss-sec mailing list archives

Re: Possible CVE Request: MediaWiki Security and Maintenance Releases: 1.19.18, 1.22.9 and 1.23.2

From: cve-assign () mitre org
Date: Thu, 14 Aug 2014 04:12:40 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

* (bug 68187) SECURITY: Prepend jsonp callback with comment.
** This was hardening against CVE-2014-4671, I don't think CVEs are
being assigned for these?


Use CVE-2014-5241.

[ Related discussion:

  > From: Salvatore Bonaccorso <carnil () debian org>
  > Date: Sat, 2 Aug 2014 07:47:56 +0200

  > There was at last CVE-2014-1546 assigned in bugzilla for this
  > (https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-1546). So a
  > CVE might also be assigned for this.

  Yes, a product with an affected JSONP endpoint can have its own
  individual CVE ID. It is also possible that the vendor of a
  JSONP endpoint has determined that a successful attack is entirely
  the fault of the SWF parser, and does not want to have a CVE ID.
  This might, hypothetically, occur if the JSONP response from a
  product is always noncompliant SWF data, but some SWF parsers accept
  it anyway. ]

* (bug 66608) SECURITY: Fix for XSS issue in bug 66608: Generate the
URL used for loading a new page in Javascript,instead of relying on
the URL in the link that has been clicked.
** Standard Dom XSS. Credit goes to Michael M.


Use CVE-2014-5242.

* (bug 65778) SECURITY: Copy prevent-clickjacking between OutputPage
and ParserOutput.
** This probably should get a CVE, since downstreams will all want to
patch this. We prevent iframing certain pages to prevent clickjacking
/ redressing attacks, but when those pages were transcluded into
non-protected pages, the resulting page could be iframed. Credit goes
to Kevin Israel.


Use CVE-2014-5243.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJT7G8NAAoJEKllVAevmvmsZagH/3tDEp3tiZaGWLs8CG4Ul2vg
Vgak1YxgAkTe7zQkl5dwTYjSVPUFenV7ig+8HokEepK3gf5tO1hQw7tgAshyR4cz
MsOCq4VJ3YD8/KwS1GNJPoarMlbbAQrNztudD5Rz3zBywMHiOgq2ZWhYro7cQhKD
68+jEunzEmFwOsdHlMXKNKO7aFlyheX7LcaTyALPRwKBrtP2NWXLqDLInK44CX4x
CfvRUOQdjFBbNVJJEsubm5y+plqTqHtHQC5DcG8nihlYrCDvG4bmB6pIy/CEHQQU
4k0IpSBs2KLbLzWG5073hAfm0FbjkJNL8MJQIXRPfmIZevZIwz74i0vDgM1bjuc=
=L99h
-----END PGP SIGNATURE-----

Current thread:

Possible CVE Request: MediaWiki Security and Maintenance Releases: 1.19.18, 1.22.9 and 1.23.2 Salvatore Bonaccorso (Jul 31)
- Re: Possible CVE Request: MediaWiki Security and Maintenance Releases: 1.19.18, 1.22.9 and 1.23.2 Chris Steipp (Jul 31)
  - Re: Possible CVE Request: MediaWiki Security and Maintenance Releases: 1.19.18, 1.22.9 and 1.23.2 Salvatore Bonaccorso (Aug 01)
  - Re: Possible CVE Request: MediaWiki Security and Maintenance Releases: 1.19.18, 1.22.9 and 1.23.2 cve-assign (Aug 14)