http://www.mediawiki.org/wiki/Release_notes/1.23#MediaWiki_1.23.7
* (bug 66776, bug 71478) SECURITY: User PleaseStand reported a way to inject code into API clients that used format=php to process pages that underwent flash policy mangling. This was fixed along with improving how the mangling was done for format=json, and allowing sites to disable the mangling using $wgMangleFlashPolicy.
* (bug 70901) SECURITY: User Jackmcbarn reported that the ability to update the content model for a page could allow an unprivileged attacker to edit another user’s common.js under certain circumstances. The user right “editcontentmodel” was added, and is needed to change a revision’s content model.
* (bug 71111) SECURITY: User PleaseStand reported that on wikis that allow raw HTML, it is not safe to preview wikitext coming from an untrusted source such as a cross-site request. Thus add an edit token to the form, and when raw HTML is allowed, ensure the token is provided before showing the preview. This check is not performed on wikis that both allow raw HTML and anonymous editing, since there are easier ways to exploit that scenario.
* (bug 72222) SECURITY: Do not show log action when the entry is revdeleted with DELETED_ACTION. NOTICE: this may be reverted in a future release pending a public RFC about the desired functionality. This issue was reported by user Bawolff.
* (bug 71621) Make allowing site-wide styles on restricted special pages a config option.
* (bug 42723) Added updated version history from 1.19.2 to 1.22.13
* $wgMangleFlashPolicy was added to make MediaWiki’s mangling of anything that might be a flash policy directive configurable.
Monthly Archives: December 2014
Fedora 19 Security Update: mariadb-5.5.40-1.fc19
Resolved Bugs
1160551 – CVE-2014-6507 CVE-2014-6520 CVE-2014-6505 CVE-2014-4287 CVE-2014-6551 CVE-2014-6555 CVE-2014-6484 CVE-2014-6464 CVE-2014-6559 CVE-2014-6530 CVE-2014-6564 CVE-2014-6469 CVE-2014-6463 mariadb: various flaws [fedora-all]
1153461 – CVE-2014-4287 mysql: unspecified vulnerability related to SERVER:CHARACTER SETS (CPU October 2014)
1153462 – CVE-2014-6463 mysql: unspecified vulnerability related to SERVER:REPLICATION ROW FORMAT BINARY LOG DML (CPU October 2014)
1153463 – CVE-2014-6464 mysql: unspecified vulnerability related to SERVER:INNODB DML FOREIGN KEYS (CPU October 2014)
1153464 – CVE-2014-6469 mysql: unspecified vulnerability related to SERVER:OPTIMIZER (CPU October 2014)
1153467 – CVE-2014-6484 mysql: unspecified vulnerability related to SERVER:DML (CPU October 2014)
1153489 – CVE-2014-6505 mysql: unspecified vulnerability related to SERVER:MEMORY STORAGE ENGINE (CPU October 2014)
1153490 – CVE-2014-6507 mysql: unspecified vulnerability related to SERVER:DML (CPU October 2014)
1153491 – CVE-2014-6520 mysql: unspecified vulnerability related to SERVER:DDL (CPU October 2014)
1153493 – CVE-2014-6530 mysql: unspecified vulnerability related to CLIENT:MYSQLDUMP (CPU October 2014)
1153494 – CVE-2014-6551 mysql: unspecified vulnerability related to CLIENT:MYSQLADMIN (CPU October 2014)
1153495 – CVE-2014-6555 mysql: unspecified vulnerability related to SERVER:DML (CPU October 2014)
1153496 – CVE-2014-6559 mysql: unspecified vulnerability related to C API SSL CERTIFICATE HANDLING (CPU October 2014)
1153497 – CVE-2014-6564 mysql: unspecified vulnerability related to SERVER:INNODB FULLTEXT SEARCH DML (CPU October 2014)<br
This is an update that fixes all issues described at https://mariadb.com/kb/en/mariadb/development/changelogs/mariadb-5540-changelog and also couple of security issues.
Fedora 20 Security Update: xen-4.3.3-6.fc20
Resolved Bugs
1166461 – migrate –debug option can lead to Segmentation fault (core dumped)<br
Excessive checking in compatibility mode hypercall argument translation,
Insufficient bounding of “REP MOVS” to MMIO emulated inside the hypervisor,
fix segfaults and failures in xl migrate –debug
Fedora 19 Security Update: libreoffice-4.1.6.2-10.fc19
Resolved Bugs
1165740 – libreoffice: crash importing malformed .rtf [fedora-all]
1167503 – CVE-2014-3693 libreoffice: Use-After-Free in socket manager of Impress Remote [fedora-all]
1139592 – CVE-2014-3575 libreoffice: openoffice: Arbitrary file disclosure via crafted OLE objects [fedora-all]<br
CVE-2014-9093 backport some arbitrary rtf crash fixes
CVE-2014-3693 Use-after-free in Impress Remote socket manager
CVE-2014-3575 arbitrary file preview disclosure via ole2 objects
The vulnerability allows an attacker to send a document which when opened will trigger the prompt to “Update Links” but if the user cancels that prompt may still generate and insert into the document an OLE2 preview image of a file on the victims filesystem, Data exposure is possible if the updated document is then distributed to other parties.
Fedora 20 Security Update: mariadb-5.5.40-1.fc20
Resolved Bugs
1160551 – CVE-2014-6507 CVE-2014-6520 CVE-2014-6505 CVE-2014-4287 CVE-2014-6551 CVE-2014-6555 CVE-2014-6484 CVE-2014-6464 CVE-2014-6559 CVE-2014-6530 CVE-2014-6564 CVE-2014-6469 CVE-2014-6463 mariadb: various flaws [fedora-all]
1153461 – CVE-2014-4287 mysql: unspecified vulnerability related to SERVER:CHARACTER SETS (CPU October 2014)
1153462 – CVE-2014-6463 mysql: unspecified vulnerability related to SERVER:REPLICATION ROW FORMAT BINARY LOG DML (CPU October 2014)
1153463 – CVE-2014-6464 mysql: unspecified vulnerability related to SERVER:INNODB DML FOREIGN KEYS (CPU October 2014)
1153464 – CVE-2014-6469 mysql: unspecified vulnerability related to SERVER:OPTIMIZER (CPU October 2014)
1153467 – CVE-2014-6484 mysql: unspecified vulnerability related to SERVER:DML (CPU October 2014)
1153489 – CVE-2014-6505 mysql: unspecified vulnerability related to SERVER:MEMORY STORAGE ENGINE (CPU October 2014)
1153490 – CVE-2014-6507 mysql: unspecified vulnerability related to SERVER:DML (CPU October 2014)
1153491 – CVE-2014-6520 mysql: unspecified vulnerability related to SERVER:DDL (CPU October 2014)
1153493 – CVE-2014-6530 mysql: unspecified vulnerability related to CLIENT:MYSQLDUMP (CPU October 2014)
1153494 – CVE-2014-6551 mysql: unspecified vulnerability related to CLIENT:MYSQLADMIN (CPU October 2014)
1153495 – CVE-2014-6555 mysql: unspecified vulnerability related to SERVER:DML (CPU October 2014)
1153496 – CVE-2014-6559 mysql: unspecified vulnerability related to C API SSL CERTIFICATE HANDLING (CPU October 2014)
1153497 – CVE-2014-6564 mysql: unspecified vulnerability related to SERVER:INNODB FULLTEXT SEARCH DML (CPU October 2014)<br
This is an update that fixes all issues described at https://mariadb.com/kb/en/mariadb/development/changelogs/mariadb-5540-changelog and also couple of security issues.
Phone biometric security need to be controlled, says ex-GCHQ chief
The former head of the UK’s government’s communications agency GCHQ has issued warnings over the privacy of the biometric security increasingly favored in top-end mobile phones and other devices, Computing reports.
The post Phone biometric security need to be controlled, says ex-GCHQ chief appeared first on We Live Security.
ManageEngine Netflow Analyzer / IT360 File Download
ManageEngine Netflow Analyzer and IT360 suffer from an arbitrary file download vulnerability.
UK police need to ‘catch up’ with cybercrime threat
Police in the UK are facing an uphill struggle to deal with modern threats and cybercrime, reports the BBC, with the current methods involving “policing the crimes of today with the methods of yesterday.”
The post UK police need to ‘catch up’ with cybercrime threat appeared first on We Live Security.
CVE-2014-5268 (fasttoggle)
The Fasttoggle module 7.x-1.3 and 7.x-1.4 for Drupal allows remote attackers to block or unblock an account via a crafted user status link.
CVE-2014-9151 (services)
The Services module 7.x-3.x before 7.x-3.10 for Drupal does not properly limit the rate of authentication attempts, which makes it easier for remote attackers to obtain access via a brute-force attack on the administrative password.