Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2014-3966

Source

Debian Bug report logs - #750527
mediawiki: CVE-2014-3966: Javascript inject by anonymous users on private wikis with $wgRawHtml enabled

Package: mediawiki; Maintainer for mediawiki is Kunal Mehta <legoktm@debian.org>; Source for mediawiki is src:mediawiki (PTS, buildd, popcon).

Reported by: Henri Salo <henri@nerv.fi>

Date: Wed, 4 Jun 2014 07:03:01 UTC

Severity: normal

Tags: fixed-upstream, security

Found in version mediawiki/1:1.19.15+dfsg-2

Fixed in version mediawiki/1:1.19.16+dfsg-1

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#750527; Package mediawiki. (Wed, 04 Jun 2014 07:03:06 GMT) (full text, mbox, link).

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>. (Wed, 04 Jun 2014 07:03:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Package: mediawiki
Version: 1:1.19.15+dfsg-2
Severity: normal
Tags: security, fixed-upstream

Needs wgRawHTML enabled so this may not be easy to exploit and might not be
affected by default.

Details of the issue: https://bugzilla.wikimedia.org/show_bug.cgi?id=65501
CVE request: http://www.openwall.com/lists/oss-security/2014/06/03/7

---
Henri Salo

[signature.asc (application/pgp-signature, inline)]

Changed Bug title to 'mediawiki: CVE-2014-3966: Javascript inject by anonymous users on private wikis with $wgRawHtml enabled' from 'mediawiki: Javascript inject by anonymous users on private wikis with $wgRawHtml enabled' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 04 Jun 2014 15:54:11 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#750527; Package mediawiki. (Wed, 11 Jun 2014 16:51:09 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>. (Wed, 11 Jun 2014 16:51:09 GMT) (full text, mbox, link).

Message #12 received at 750527@bugs.debian.org (full text, mbox, reply):

Source: mediawiki
Source-Version: 1:1.19.16+dfsg-1

On Wed, Jun 04, 2014 at 09:59:39AM +0300, Henri Salo wrote:
> Package: mediawiki
> Version: 1:1.19.15+dfsg-2
> Severity: normal
> Tags: security, fixed-upstream
> 
> Needs wgRawHTML enabled so this may not be easy to exploit and might not be
> affected by default.
> 
> Details of the issue: https://bugzilla.wikimedia.org/show_bug.cgi?id=65501
> CVE request: http://www.openwall.com/lists/oss-security/2014/06/03/7

This was fixed with the recent mediawiki 1:1.19.16+dfsg-1 upload to
unstable.

Regards,
Salvatore

Marked Bug as done Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 11 Jun 2014 16:51:16 GMT) (full text, mbox, link).

Notification sent to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer. (Wed, 11 Jun 2014 16:51:17 GMT) (full text, mbox, link).

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Wed, 11 Jun 2014 16:51:32 GMT) (full text, mbox, link).

Notification sent to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer. (Wed, 11 Jun 2014 16:51:32 GMT) (full text, mbox, link).

Message #21 received at 750527-done@bugs.debian.org (full text, mbox, reply):

Source: mediawiki
Source-Version: 1:1.19.16+dfsg-1

Now really closing the bug with given version.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 15 Jul 2014 07:27:16 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:03:42 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

mediawiki: CVE-2014-3966: Javascript inject by anonymous users on private wikis with $wgRawHtml enabled

Debian Bug report logs - #750527
mediawiki: CVE-2014-3966: Javascript inject by anonymous users on private wikis with $wgRawHtml enabled

Vulmon Search

About

Products

Connect

mediawiki: CVE-2014-3966: Javascript inject by anonymous users on private wikis with $wgRawHtml enabled

Debian Bug report logs - #750527 mediawiki: CVE-2014-3966: Javascript inject by anonymous users on private wikis with $wgRawHtml enabled

Vulmon Search

About

Products

Connect

Debian Bug report logs - #750527
mediawiki: CVE-2014-3966: Javascript inject by anonymous users on private wikis with $wgRawHtml enabled