[Pkg-mediawiki-devel] Bug#696179: mediawiki-extensions-base: RSS_Reader Javascript injection
Giuseppe Iuculano
giuseppe at iuculano.it
Wed Dec 19 19:06:06 UTC 2012
Hi,
On 17/12/2012 18:21, Jonathan Wiltshire wrote:
> Security team: is it too late to get a CVE through you now that a public
> bug has been filed? And should a DSA be prepared, as I have not looked
> but can be fairly sure this will affect stable.
yes, if it is public, we cannot assign a CVE. you can ask
cve-assign at mitre.org to request one.
>>> The window of opportunity is small but the impact could be significant
>>> (drive-by downloads, session theft, XSS etc).
>>
>> Actually, it’s not small.
>
> Ok, what I really meant was that you'd have to know someone is using
> Mediawiki to read your feed, which is probably feasible but I can't
> imagine there are thousands of people doing so. We don't really know
> either way, we should probably play it cautious.
I agree, this issue doesn't warrant a DSA, but you could still fix it
through a point update:
http://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable
Cheers,
Giuseppe.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-mediawiki-devel/attachments/20121219/fbdb3f38/attachment.pgp>
More information about the Pkg-mediawiki-devel
mailing list