-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3046-1 security@debian.org http://www.debian.org/security/ Salvatore Bonaccorso October 05, 2014 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : mediawiki CVE ID : CVE-2014-7295 It was reported that MediaWiki, a website engine for collaborative work, allowed to load user-created CSS on pages where user-created JavaScript is not allowed. A wiki user could be tricked into performing actions by manipulating the interface from CSS, or JavaScript code being executed from CSS, on security-wise sensitive pages like Special:Preferences and Special:UserLogin. This update removes the separation of CSS and JavaScript module allowance. For the stable distribution (wheezy), this problem has been fixed in version 1:1.19.20+dfsg-0+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 1:1.19.20+dfsg-1. We recommend that you upgrade your mediawiki packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJUMWQQAAoJEAVMuPMTQ89EIFEP/jGfYxU9UQ4JBoIu84wsRjuP MXI7mGNuhA9dnwxKaAzEddqlmVrVy5tgP18kanlB1agzBR3O7JWqel8BjAWWU3wV LIRTrlTQTh3EFeXuaPAKUrXPHognDcixhcPUNsVn6oeuwNaHDI7T9cQseDKlnvPU VtVexVVE6YpPyUg3LIO6EPt1U3dVLr6AG8/BbweooYwQyB3tupbemGWptI6rEeRK MqIxRuld3xkAG7SZJXv7pLnRDZBzXW/LcRD5r7CtSdfUeIFqcMOBhMR2lWH52jMg 0jM3koPnukXOYPOQIYD+l3+wG65mPqb/gtToRObPqGgcPCTup0eMcWu97Nz9CUDp QW2iTo/M9e+4T+uAg5ETeWiK0i3k6R7MpcSBJuTv2ckbDvqZKvslzLjLXJ4MsheD mbv0gmub3wDojWLwYq8+PAsCJSaGFZhZqME2aFps0xxqFQVo03JULZZK/hbIjFgl GpXH+Exb7iAuCiZM+tSgMe/GJ324J53qudKaifDbypaLWZLT4T1WN24IHZv6Icpv W08Em5Guc0nyC4mYFb9+J+t/yXd6M3hfhc1I+9fqdX+uLFlvx/nNm8wU87QuuQs/ k64awl9aUDbZxDGdC8OxwDfh1EeXroNMHueDPj82t76+dRU3+sBjJkhnQMp3S/LD RMJttMX597NHP2RBLApx =KdNC -----END PGP SIGNATURE-----