Thorsten Glaser (tg) reports: Package: mediawiki-extensions-base Version: 2.9 Severity: grave Justification: user security hole Thanks to Joey Hess, who put <title></yurt></title> into his feed, and our FusionForge “pink popup” which displays invalid XHTML immediately, a user security hole could be identified today during MediaWiki validation at tarent solutions GmbH in mediawiki-extensions-base (RSS_Reader) and gforge-base (Codendi RSS widget). In mediawiki-extensions-base, this is an actual user security hole: JavaScript placed, properly escaped, into an RSS feed item’s title is executed on the page. (In FusionForge, <script> tags are stripped, but the invalid </yurt> is still emitted. I will not file a security bug against FusionForge because I do not believe it a user security hole there, but still commit a fix into FF’s git repo.) External links: http://www.mediawiki.org/wiki/Extension:RSS_Reader#0.2.6 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696179
Created mediawiki-rss tracking bugs for this issue Affects: fedora-16 [bug 891021]
Created mediawiki-rss tracking bugs for this issue Affects: epel-5 [bug 891022]
Created mediawiki119-RSS tracking bugs for this issue Affects: epel-6 [bug 891023]
This does not apply: this is a security bug against the RSS_Reader extension, but this is the RSS extension.