FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-28 15:43:32 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
b50f53ce-2151-11e6-8dd3-002590263bf5mediawiki -- multiple vulnerabilities

Mediawiki reports:

Security fixes:

T122056: Old tokens are remaining valid within a new session

T127114: Login throttle can be tricked using non-canonicalized usernames

T123653: Cross-domain policy regexp is too narrow

T123071: Incorrectly identifying http link in a's href attributes, due to m modifier in regex

T129506: MediaWiki:Gadget-popups.js isn't renderable

T125283: Users occasionally logged in as different users after SessionManager deployment

T103239: Patrol allows click catching and patrolling of any page

T122807: [tracking] Check php crypto primatives

T98313: Graphs can leak tokens, leading to CSRF

T130947: Diff generation should use PoolCounter

T133507: Careless use of $wgExternalLinkTarget is insecure

T132874: API action=move is not rate limited


Discovery 2016-05-20
Entry 2016-05-24
mediawiki123
< 1.23.14

mediawiki124
le 1.24.6

mediawiki125
< 1.25.6

mediawiki126
< 1.26.3

https://lists.wikimedia.org/pipermail/mediawiki-announce/2016-May/000188.html
b973a763-7936-11e5-a2a1-002590263bf5mediawiki -- multiple vulnerabilities

MediaWiki reports:

Wikipedia user RobinHood70 reported two issues in the chunked upload API. The API failed to correctly stop adding new chunks to the upload when the reported size was exceeded (T91203), allowing a malicious users to upload add an infinite number of chunks for a single file upload. Additionally, a malicious user could upload chunks of 1 byte for very large files, potentially creating a very large number of files on the server's filesystem (T91205).

Internal review discovered that it is not possible to throttle file uploads.

Internal review discovered a missing authorization check when removing suppression from a revision. This allowed users with the 'viewsuppressed' user right but not the appropriate 'suppressrevision' user right to unsuppress revisions.

Richard Stanway from teamliquid.net reported that thumbnails of PNG files generated with ImageMagick contained the local file path in the image metadata.


Discovery 2015-10-16
Entry 2015-10-23
Modified 2015-12-24
mediawiki123
< 1.23.11

mediawiki124
< 1.24.4

mediawiki125
< 1.25.3

CVE-2015-8001
CVE-2015-8002
CVE-2015-8003
CVE-2015-8004
CVE-2015-8005
CVE-2015-8006
CVE-2015-8007
CVE-2015-8008
CVE-2015-8009
https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-October/000181.html
https://phabricator.wikimedia.org/T91203
https://phabricator.wikimedia.org/T91205
https://phabricator.wikimedia.org/T91850
https://phabricator.wikimedia.org/T95589
https://phabricator.wikimedia.org/T108616
http://www.openwall.com/lists/oss-security/2015/10/29/14
f36bbd66-aa44-11e5-8f5c-002590263bf5mediawiki -- multiple vulnerabilities

MediaWiki reports:

(T117899) SECURITY: $wgArticlePath can no longer be set to relative paths that do not begin with a slash. This enabled trivial XSS attacks. Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an error.

(T119309) SECURITY: Use hash_compare() for edit token comparison.

(T118032) SECURITY: Don't allow cURL to interpret POST parameters starting with '@' as file uploads.

(T115522) SECURITY: Passwords generated by User::randomPassword() can no longer be shorter than $wgMinimalPasswordLength.

(T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could result in improper blocks being issued.

(T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions and related pages no longer use HTTP redirects and are now redirected by MediaWiki.


Discovery 2015-12-18
Entry 2015-12-24
mediawiki123
< 1.23.12

mediawiki124
< 1.24.5

mediawiki125
< 1.25.4

mediawiki126
< 1.26.1

CVE-2015-8622
CVE-2015-8623
CVE-2015-8624
CVE-2015-8625
CVE-2015-8626
CVE-2015-8627
CVE-2015-8628
https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-December/000186.html
https://phabricator.wikimedia.org/T117899
https://phabricator.wikimedia.org/T119309
https://phabricator.wikimedia.org/T118032
https://phabricator.wikimedia.org/T115522
https://phabricator.wikimedia.org/T97897
https://phabricator.wikimedia.org/T109724
http://www.openwall.com/lists/oss-security/2015/12/23/7