*** This bug is a security vulnerability ***
Public security bug reported:
Binary package hint: mediawiki
This fixes a couple of security holes. No new features, so no FFe is
required.
== MediaWiki 1.11.2 ==
March 2, 2008
This is a security release of the Fall 2007 snapshot release of MediaWiki.
Possible cross-site information leaks using the callback parameter for
JSON-formatted results in the API are prevented by dropping user credentials.
MediaWiki release versions prior to 1.11 are not vulnerable, as they do
not include the callback feature which allows client-side JavaScript on
other sites to reach API data.
Changes in this release:
* User credentials are dropped for API JSON requests using a callback
* Edit tokens are not reported for API JSON requests using a callback
** Affects: mediawiki (Ubuntu)
Importance: High
Assignee: William Grant (fujitsu)
Status: In Progress
** Changed in: mediawiki (Ubuntu)
Importance: Undecided => High
Assignee: (unassigned) => William Grant (fujitsu)
Status: New => In Progress
** This bug has been flagged as a security issue
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-1318
--
[non-FFe] mediawiki 1.11.2
https://bugs.launchpad.net/bugs/207008
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
