Summary: | www-apps/mediawiki: upgrade to 1.4.15 due to vulnerability (CVE-2006-1498) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Aurélien Requiem <bugs> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | trapni |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Other | ||
Whiteboard: | B4 [glsa] DerCorny | ||
Package list: | Runtime testing required: | --- |
Description
Aurélien Requiem
2006-03-29 04:48:42 UTC
hi web-apps, do you want to provide an ebuild for 1.4.15 or should we go for a stable marking of 1.5.8? I'd vote for both. Although, I already bumped 1.5.8 as it came out, but I must have missed the 1.4.15 release. 1.4.15 is in the tree now as well. thanks for the notice :) (I do not close this bug as it's kinda security-assigned, so please do so if you feel fine with all) arches, please test and mark 1.4.15 or 1.5.8 stable, thank you. trapni, please dont bump security bugs directly to stable. Would you or somebody from the arches team please remove the stable keywords for any arch this wasnt tested on? Thanks. um, yeah, okay - as it was a security (bugfix only) release, and 1.4.14 were already marked stable I didn't mind in unstable-marking them all. For amd64 I could speak that it runs just fine for the 1.5.x line as I'm using it in production since it's out (w/o any problems so far). Well, it looks like 1.4.15 is already stable on x86. trapni: as stated, in the future please don't bump stuff straight to stable. Removing SPARC as 1.4.15 works and was already keyworded stable trapni is in the amd64 team, so that works with me CVE-2006-1498 Bad Product/component 1.4.15 tested and found ok on ppc, so the ppc keyword can stay. ready for glsa decision. weak yes here, mainly because we issued GLSAs for XSS in mediawiki in the past. (In reply to comment #12) > ready for glsa decision. weak yes here, mainly because we issued GLSAs for XSS > in mediawiki in the past. > Last one was on 2005-07-20, AFAIK. Vote 0.5 yes. Tend to vote YES on this one. XSS and injection in publically-writeable websites (forums, wikis...) is evil. So I vote yes. GLSA 200604-01 Thanks everybody. |