Re: [Wikitech-l] [SECURITY] Math extension - shell invocation followup
Hi, On Fri, Jan 20, 2017 at 06:47:53PM -0800, Legoktm wrote: > Somewhat related, in the last MediaWiki security release, the bugs > already have CVE numbers assigned to them. Would it be possible to get > CVE ids for extension security issues in advance as well? That shouldn't be a problem; CVE IDs can be requested in advance via this web form: https://cve.mitre.org/cve/request_id.html (In the past this was done via an email address, but they recently streamlined the process) Cheers, Moritz ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] [SECURITY] Math extension - shell invocation followup
Hi, Somewhat related, in the last MediaWiki security release, the bugs already have CVE numbers assigned to them. Would it be possible to get CVE ids for extension security issues in advance as well? -- Legoktm ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
[Wikitech-l] [SECURITY] Math extension - shell invocation followup
Hi all, In the process of the previous security release, T124940 was fixed in core MediaWiki (it deals with unacceptably long shell inputs). There was also a related fix in Math that I just noticed had never been released--even thought it was disclosed (with a patch) on the task in question. It's been published to https://gerrit.wikimedia.org/r/#/c/09/ (for master) and is being backported to all supported branches (1.28.x, 1.27.x, 1.23.x) This isn't an extension we bundle in core MW which explains the oversight. -Chad ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
