[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SRM] Permission to upload mediawiki to stable



On 2010-12-18, Adam D. Barratt <adam@adam-barratt.org.uk> wrote:
> On Sat, 2010-12-18 at 00:28 +0000, Jonathan Wiltshire wrote: 
>> * Fixed CSRF vulnerability in "e-mail me my password",
>>      "create account" and "create by e-mail" features of
>>      [[Special:Userlogin]]. CVE-2010-1648
>>    * Fixed XSS vulnerability affecting IE clients only, due to a CSS
>>      validation issue. CVE-2010-1647 (Closes: #585918)
>
> The security tracker seems to be somewhat confused here, fwiw -
> http://security-tracker.debian.org/tracker/CVE-2010-164{7,8} both claim
> that the issue was fixed in -2lenny5.

The are both marked as no-dsa:

CVE-2010-1648 (Cross-site request forgery (CSRF) vulnerability in the login interface ...)
        - mediawiki 1.15.4-1 (bug #585918; low)
        [lenny] - mediawiki <no-dsa> (Minor issue)
        NOTE: http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
CVE-2010-1647 (Cross-site scripting (XSS) vulnerability in MediaWiki 1.15 before ...)
        - mediawiki 1.15.4-1 (bug #585918; low)
        [lenny] - mediawiki <no-dsa> (Minor issue)
        NOTE: http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html

>>    * Fixed an XSS vulnerability in profileinfo.php for installations
>>      with $wgEnableProfileInfo = true (false by default) (Closes: #590669)

This one is CVE-2010-2788, BTW. (No need to adapt the changelog, though)

Cheers,
        Moritz


Reply to: