Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <201403011944.s21Jiobo008522@linus.mitre.org>
Date: Sat, 1 Mar 2014 14:44:50 -0500 (EST)
From: cve-assign@...re.org
To: mmcallis@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE requests: MediaWiki 1.22.3, 1.21.6 and 1.19.12 release

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-February/000141.html

> https://bugzilla.redhat.com/show_bug.cgi?id=1071135
> 
> * (bug 60771) SECURITY: Disallow uploading SVG files using non-whitelisted
>    namespaces.

> An attacker could perform cross-site scripting attacks by uploading 
> crafted SVG images.
> 
> https://bugzilla.wikimedia.org/show_bug.cgi?id=60771
> https://gerrit.wikimedia.org/r/#/q/7d923a6b53f7fbcb0cbc3a19797d741bf6f440eb,n,z

Use CVE-2014-2242. The root cause is, roughly, "does not block unsafe
namespaces such as a W3C XHTML namespace." This qualifies for a CVE
because there is known client software that uses this namespace in a
way that results in XSS. MediaWiki is obviously free to make an
announcement of a security fix for this type of issue, independent of
the question of who is at fault for the underlying problem.

> Also disallow iframe elements.

There is no CVE assignment for this change because there is no known
client software that uses any of the $validNamespaces namespaces in a
way that results in XSS. A third party who "owns" one of these
namespaces, or anyone else, could modify its role tomorrow and (for
example) release a browser extension that's vulnerable to this IFRAME
XSS attack when the namespace is used. However, defending against that
is essentially the same as defending against any other attack
requiring not-known-to-exist client software. It can only be
interpreted as security hardening. For example, MediaWiki conceivably
could validate uploaded .jpg files by looking for photos of the word
"IFRAME" because, well, you can't be too careful.


> https://bugzilla.redhat.com/show_bug.cgi?id=1071136
> 
> * (bug 61346) SECURITY: Make token comparison use constant time. It 
>    seems like our token comparison would be vulnerable to timing attacks.
>    This will take constant time.
> 
> https://bugzilla.wikimedia.org/show_bug.cgi?id=61346
> https://gerrit.wikimedia.org/r/#/q/I2a9e89120f7092015495e638c6fa9f67adc9b84f,n,z

Use CVE-2014-2243. Bug 61346 comments 9 and 10 are not currently being
considered a vulnerability report -- the statements in comments 9 and
10 are not within the scope of CVE-2014-2243, nor do they have a
separate CVE ID.


> https://bugzilla.redhat.com/show_bug.cgi?id=1071139
> 
> * (bug 61362) SECURITY: API: Don't find links in the middle of api.php 
>   links.
> 
> An attacker could perform cross-site scripting attacks.
> 
> https://bugzilla.wikimedia.org/show_bug.cgi?id=61362
> https://gerrit.wikimedia.org/r/#/q/Idf985e4e69c2f11778a8a90503914678441cb3fb,n,z

Use CVE-2014-2244.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTEjfBAAoJEKllVAevmvmsgd8H+wbUsWZxxFEOD0ExHKbjjU3v
6+iifxcMY3q3k+0xcF4gEm9kByJNefyzQu8tZnazzEZb3o8S5xZ5pSkAEOI1A2qJ
jzChB9qhF+7mD8lOoMThtYslH+PcU0fkgwlDEGDpKTvYVXASkRNl6IEhsycYZ9n6
S6HZLBHUBq6OOUnhuVixkB5RXUrb8iRZgapfWQ40HRZnIubxREvbIlMcjMTYiqOg
u0iBLUa9mrDKJUqjcZVRxx8PBCvMJg9/eLV3N1E9ZyBCTXZTPV6jARrzgNyXGT/y
HnTJGxFFYcQw6wkBHKNFzKtK4NQY9TgitnL6TggLNBeKiAM6Sle7Y6dvPwB1g6w=
=pxGY
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.