https://bugzilla.novell.com/show_bug.cgi?id=247333 Summary: VUL-0: mediawiki 1.8.4 fixes XSS vulnerability in non- default configuration Product: openSUSE 10.2 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: anicka@novell.com QAContact: qa@suse.de == MediaWiki 1.8.4 == February 20, 2007 This is a security and bug-fix update to the Fall 2006 quarterly release. An XSS injection vulnerability based on Microsoft Internet Explorer's UTF-7 charset autodetection was located in the AJAX support module, affecting MSIE users on MediaWiki 1.6.x and up when the optional setting $wgUseAjax is enabled. If you are using an extension based on the optional Ajax module, either disable it or upgrade to a version containing the fix: * 1.9: fixed in 1.9.3 * 1.8: fixed in 1.8.4 * 1.7: fixed in 1.7.3 * 1.6: fixed in 1.6.10 It seems to be a next attack on the bug which seemed to be fixed in 1.8.3 version (bug #233141). 10.2 is vulnerable (other released products are not), are we going to fix? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.