Please update dokuwiki ebuild to prevent XSS attack via SWF uploads. Reproducible: Always
done 13:47 < irker481> gentoo-x86: jmbsvicetto www-apps/dokuwiki: Bump dokuwiki versions to address an XSS with SWF uploads - announcement https://www.freelists.org/post/dokuwiki/XSS-via-SWF-uploads-hotfix,3 @security: Do you want to track this bug?
Arches, please test and mark stable: =www-apps/dokuwiki-20140929b Target keywords : "amd64 x86"
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
(In reply to Agostino Sarubbo from comment #4) > Maintainer(s), please cleanup. 13:52 < irker856> gentoo-x86: jmbsvicetto www-apps/dokuwiki: Drop old vulnerable versions Done
@Security, do we produce glsa for XSS? AFAIR, no.
CVE-2014-9253 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9253): The default file type whitelist configuration in conf/mime.conf in the Media Manager in DokuWiki before 2014-09-29b allows remote attackers to execute arbitrary web script or HTML by uploading an SWF file, then accessing it via the media parameter to lib/exe/fetch.php.
(In reply to Mikle Kolyada from comment #6) > @Security, do we produce glsa for XSS? AFAIR, no. Nope, we don't even give it a vote. Closing noglsa for XSS only.