Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4ED54D52.3030303@redhat.com>
Date: Tue, 29 Nov 2011 14:23:30 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Hanno Böck <hanno@...eck.de>
Subject: Re: CVE request: mediawiki before 1.17.1

On 11/29/2011 03:12 AM, Hanno Böck wrote:
> http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-November/000104.html
>
> From announce mail:
>
> -------------
> I would like to announce the release of MediaWiki 1.17.1. Two security
> issues were discovered.
>
> Alexandre Emsenhuber discovered an issue where page titles on private
> wikis could be exposed bypassing different page ids to index.php. In the
> case of the user not having correct permissions, they will now be
> redirected to Special:BadTitle.
>
> For more details, see
> https://bugzilla.wikimedia.org/show_bug.cgi?id=32276
Please use CVE-2011-4360 for this issue.

> The second issue was found by Tim Starling, who discovered that
> action=ajax requests were dispatched to the relevant function without
> any read permission checks being done. This could have led to data
> leakage on private wikis.
>
> For more details, see
> https://bugzilla.wikimedia.org/show_bug.cgi?id=32616
Please use CVE-2011-4361 for this issue.

> ------------------------
>
> Please assign two CVEs.
>


-- 

-Kurt Seifried / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.