Added security team to CC.
On 2012-12-17 17:00, Thorsten Glaser wrote:
On Mon, 17 Dec 2012, Jonathan Wiltshire wrote:
At a quick glance this appears to affect upstream
Can you confirm this
Yes, it does.
have you sought out a CVE
number?
No, I’ve got no idea how all this CVE stuff works.
Do you volunteer, or one of the Mediawiki guys lurking here?
Otherwise I’d just open an entry in the MW bugtracker now,
if extensions are tracked there, that is.
Security team: is it too late to get a CVE through you now that a
public bug has been filed? And should a DSA be prepared, as I have not
looked but can be fairly sure this will affect stable.
(for those following at home: Debian can only issue CVEs for non-public
issues AIUI, which is why it's a shame you didn't bring them into the
loop before opening a bug.)
The window of opportunity is small but the impact could be
significant
(drive-by downloads, session theft, XSS etc).
Actually, it’s not small.
Ok, what I really meant was that you'd have to know someone is using
Mediawiki to read your feed, which is probably feasible but I can't
imagine there are thousands of people doing so. We don't really know
either way, we should probably play it cautious.
--
Jonathan Wiltshire j...@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
<directhex> i have six years of solaris sysadmin experience, from
8->10. i am well qualified to say it is made from bonghits
layered on top of bonghits
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
