| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 10 Jun 2014 18:47:00 +0200 From: security@...driva.com To: bugtraq@...urityfocus.com Subject: [ MDVSA-2014:119 ] mediawiki -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:119 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : mediawiki Date : June 10, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated mediawiki packages fix security vulnerability: XSS vulnerability in MediaWiki before 1.22.7, due to usernames on Special:PasswordReset being parsed as wikitext. The username on Special:PasswordReset can be supplied by anyone and will be parsed with wgRawHtml enabled. Since Special:PasswordReset is whitelisted by default on private wikis, this could potentially lead to an XSS crossing a privilege boundary (CVE-2014-3966). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3966 http://advisories.mageia.org/MGASA-2014-0253.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: ff6c87c0ca4184be601a11c11487b5a6 mbs1/x86_64/mediawiki-1.22.7-1.mbs1.noarch.rpm 64e807f5fa514e1149b4bdf51433efb6 mbs1/x86_64/mediawiki-mysql-1.22.7-1.mbs1.noarch.rpm 891e200fedb9c4eba765c824b2320346 mbs1/x86_64/mediawiki-pgsql-1.22.7-1.mbs1.noarch.rpm d80771e17bd538455da34534b3da2e28 mbs1/x86_64/mediawiki-sqlite-1.22.7-1.mbs1.noarch.rpm 92c5c9e169e42307b700f97de6f23309 mbs1/SRPMS/mediawiki-1.22.7-1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFTlwx/mqjQ0CJFipgRAoWfAKDzOErE37mmvJoT3SyXJXuHBBGpOwCg8BRx cWYvlL1QW2ri4ugTZt2imCU= =fW5t -----END PGP SIGNATURE-----
Powered by blists - more mailing lists