[Pkg-mediawiki-devel] Bug#696179: mediawiki-extensions-base: RSS_Reader Javascript injection

Giuseppe Iuculano giuseppe at iuculano.it
Wed Dec 19 19:06:06 UTC 2012


On 17/12/2012 18:21, Jonathan Wiltshire wrote:
> Security team: is it too late to get a CVE through you now that a public
> bug has been filed? And should a DSA be prepared, as I have not looked
> but can be fairly sure this will affect stable.

yes, if it is public, we cannot assign a CVE. you can ask
cve-assign at mitre.org to request one.

>>> The window of opportunity is small but the impact could be significant
>>> (drive-by downloads, session theft, XSS etc).
>> Actually, it’s not small.
> Ok, what I really meant was that you'd have to know someone is using
> Mediawiki to read your feed, which is probably feasible but I can't
> imagine there are thousands of people doing so. We don't really know
> either way, we should probably play it cautious.

I agree, this issue doesn't warrant a DSA, but you could still fix it
through a point update:


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-mediawiki-devel/attachments/20121219/fbdb3f38/attachment.pgp>

More information about the Pkg-mediawiki-devel mailing list