Thanks for reporting. Do you have any reproducible scenario? Regards, Nicolas Terray
----- Mail original ----- > De: "Thorsten Glaser" <t.gla...@tarent.de> > À: "Maintenance team for the mediawiki package" > <pkg-mediawiki-de...@lists.alioth.debian.org> > Cc: 696...@bugs.debian.org, fusionforge-gene...@lists.fusionforge.org, > discussi...@planetforge.org > Envoyé: Lundi 17 Décembre 2012 18:13:56 > Objet: Re: [Discussions] Codendi and mediawiki-extensions-base: RSS_Reader > Javascript injection > > Dixi quod… > > > On Mon, 17 Dec 2012, Jonathan Wiltshire wrote: > > > > have you sought out a CVE > > > number? > > > > No, I’ve got no idea how all this CVE stuff works. > > > > Do you volunteer, or one of the Mediawiki guys lurking here? > > Otherwise I’d just open an entry in the MW bugtracker now, > > if extensions are tracked there, that is. > > For CVE tracking, here’s a list of vulnerable softwares: > > • FusionForge 5.1, 5.2 and trunk, but not 5.0 or below; > commit f7b371af6f7576058971fd248a93dd864d5b1ce1 fix on > Branch_5_1 confirmed to close this hole; will be merged > into 5.2 and trunk later > ⇒ Impact: low (<script> filtered) > > • Tuleap, tested with version 5.7.99.9, possibly “all”, > and possibly also Codendi (which is where Tuleap and > FusionForge both have this widget from) > ⇒ Impact: low (<script> filtered) > > • MediaWiki RSS_Reader extension (fix tested, works) > ⇒ Impact: high (<script> *not* filtered) > > bye, > //mirabilos > -- > tarent solutions GmbH > Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ > Tel: +49 228 54881-393 • Fax: +49 228 54881-314 > HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941 > Geschäftsführer: Boris Esser, Sebastian Mancke > > _______________________________________________ > Discussions mailing list > discussi...@planetforge.org > http://lists.planetforge.org/cgi-bin/mailman/listinfo/discussions > -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
