[Pkg-mediawiki-devel] Bug#696179: mediawiki-extensions-base: RSS_Reader Javascript injection

Mon Dec 17 17:21:01 UTC 2012

Added security team to CC.

On 2012-12-17 17:00, Thorsten Glaser wrote:
> On Mon, 17 Dec 2012, Jonathan Wiltshire wrote:
>
>> At a quick glance this appears to affect upstream
>> Can you confirm this
>
> Yes, it does.
>
>> have you sought out a CVE
>> number?
>
> No, I’ve got no idea how all this CVE stuff works.
>
> Do you volunteer, or one of the Mediawiki guys lurking here?
> Otherwise I’d just open an entry in the MW bugtracker now,
> if extensions are tracked there, that is.

Security team: is it too late to get a CVE through you now that a 
public bug has been filed? And should a DSA be prepared, as I have not 
looked but can be fairly sure this will affect stable.

(for those following at home: Debian can only issue CVEs for non-public 
issues AIUI, which is why it's a shame you didn't bring them into the 
loop before opening a bug.)

>> The window of opportunity is small but the impact could be 
>> significant
>> (drive-by downloads, session theft, XSS etc).
>
> Actually, it’s not small.

Ok, what I really meant was that you'd have to know someone is using 
Mediawiki to read your feed, which is probably feasible but I can't 
imagine there are thousands of people doing so. We don't really know 
either way, we should probably play it cautious.

-- 
Jonathan Wiltshire                                      jmw at debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

<directhex> i have six years of solaris sysadmin experience, from
             8->10. i am well qualified to say it is made from bonghits
			layered on top of bonghits