Re: [SRM] Permission to upload mediawiki to stable
On 2010-12-18, Adam D. Barratt <adam@adam-barratt.org.uk> wrote:
> On Sat, 2010-12-18 at 00:28 +0000, Jonathan Wiltshire wrote:
>> * Fixed CSRF vulnerability in "e-mail me my password",
>> "create account" and "create by e-mail" features of
>> [[Special:Userlogin]]. CVE-2010-1648
>> * Fixed XSS vulnerability affecting IE clients only, due to a CSS
>> validation issue. CVE-2010-1647 (Closes: #585918)
>
> The security tracker seems to be somewhat confused here, fwiw -
> http://security-tracker.debian.org/tracker/CVE-2010-164{7,8} both claim
> that the issue was fixed in -2lenny5.
The are both marked as no-dsa:
CVE-2010-1648 (Cross-site request forgery (CSRF) vulnerability in the login interface ...)
- mediawiki 1.15.4-1 (bug #585918; low)
[lenny] - mediawiki <no-dsa> (Minor issue)
NOTE: http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
CVE-2010-1647 (Cross-site scripting (XSS) vulnerability in MediaWiki 1.15 before ...)
- mediawiki 1.15.4-1 (bug #585918; low)
[lenny] - mediawiki <no-dsa> (Minor issue)
NOTE: http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
>> * Fixed an XSS vulnerability in profileinfo.php for installations
>> with $wgEnableProfileInfo = true (false by default) (Closes: #590669)
This one is CVE-2010-2788, BTW. (No need to adapt the changelog, though)
Cheers,
Moritz
Reply to: