https://bugzilla.novell.com/show_bug.cgi?id=247333 lnussel@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |security-team@suse.de AssignedTo|security-team@suse.de |anicka@novell.com ------- Comment #1 from lnussel@novell.com 2007-04-03 04:23 MST ------- Seems this bug got forgotten. Yes, please update the package. Looks like there were more issues in mediawiki in the meantime though: CVE-2007-1055 Cross-site scripting (XSS) vulnerability in the AJAX features in index.php in MediaWiki 1.9.x before 1.9.0rc2, and 1.8.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the rs parameter. NOTE: this issue might be a duplicate of CVE-2007-0177. CVE-2007-1054 Cross-site scripting (XSS) vulnerability in the AJAX features in index.php in MediaWiki 1.6.x through 1.9.2, when $wgUseAjax is enabled, allows remote attackers to inject arbitrary web script or HTML via a UTF-7 encoded value of the rs parameter, which is processed by Internet Explorer. CVE-2007-0894 MediaWiki before 1.9.2 allows remote attackers to obtain sensitive information via a direct request to (1) Simple.deps.php, (2) MonoBook.deps.php, (3) MySkin.deps.php, or (4) Chick.deps.php in wiki/skins, which shows the installation path in the resulting error message. CVE-2007-0788 Cross-site scripting (XSS) vulnerability in MediaWiki 1.9.x before 1.9.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "sortable tables JavaScript." CVE-2007-0177 Cross-site scripting (XSS) vulnerability in the AJAX module in MediaWiki before 1.6.9, 1.7 before 1.7.2, 1.8 before 1.8.3, and 1.9 before 1.9.0rc2, when wgUseAjax is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. MaintenanceTracker-9322 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.novell.com/show_bug.cgi?id=247333 pgajdos@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|pgajdos@novell.com |security-team@suse.de Status|ASSIGNED |NEW ------- Comment #2 from pgajdos@novell.com 2007-04-04 06:33 MST ------- Fix submitted: CVE-2007-1055 fixed in 10.2 CVE-2007-1054, -0894, -0788, -0177 do not affect 1.8 branch (for 1.9 branch fixed in stable) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.novell.com/show_bug.cgi?id=247333 anicka@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED Info Provider|pgajdos@novell.com | ------- Comment #4 from anicka@novell.com 2007-04-04 07:00 MST ------- As far as I am aware, none of these issues affects branches older than 1.8. These AJAX features were added in 1.8 and the XSS vulnerabilities of 1.9 also do not affect older versions. I do not know about any problem affecting 1.5 or 1.4 branch that is not fixed in SL. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.novell.com/show_bug.cgi?id=247333 lnussel@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED ------- Comment #5 from lnussel@novell.com 2007-04-11 01:13 MST ------- updates released -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.