Updated docuwiki package fixes CVE-2014-9253
Publication date: 19 Dec 2014Type: security
Affected Mageia releases : 4
CVE: CVE-2014-9253
Description
Updated dokuwiki package fix a security vulnerability:
Our current dokuwiki-20140929-1.1.mga4 package uses dokuwiki-2014-09-29a source
which allows swf (application/x-shockwave-flash) uploads by default. This may be
used for Cross-site scripting (XSS) attack which enables attackers to inject
client-side script into Web pages viewed by other users. (CVE-2014-9253).
This update uses dokuwiki-2014-09-29b hotfix source which disables swf uploads
by default and fixes the issue.
References
- https://bugs.mageia.org/show_bug.cgi?id=14807
- http://openwall.com/lists/oss-security/2014/12/15/4
- http://security.szurek.pl/dokuwiki-20140929a-xss.html
- https://www.dokuwiki.org/changes#release_2014-09-29_hrun
- http://en.wikipedia.org/wiki/Cross-site_scripting
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9253
SRPMS
4/core
- dokuwiki-20140929-1.2.mga4