Bug 11157

Summary: mediawiki new security issues fixed in 1.20.7
Product: Mageia Reporter: Oden Eriksson <oe>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, luigiwalser, sysadmin-bugs
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/566715/
Whiteboard: MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OK
Source RPM: mediawiki CVE:
Status comment:

Description Oden Eriksson 2013-09-04 13:50:00 CEST 
http://www.openwall.com/lists/oss-security/2013/09/04/5

"---------------------------- Original Message ----------------------------
Subject: [MediaWiki-announce] MediaWiki Security Release: 1.21.2, 1.20.7
and 1.19.8
From:    "Chris Steipp" <csteipp@...imedia.org>
Date:    Tue, September 3, 2013 22:50
To:      mediawiki-announce@...ts.wikimedia.org
         "MediaWiki-l" <mediawiki-l@...ts.wikimedia.org>
         "Wikimedia developers" <wikitech-l@...ts.wikimedia.org>
--------------------------------------------------------------------------

I would like to announce the release of MediaWiki 1.21.2, 1.20.7 and
1.19.8. These releases fix 3 security related bugs that could affect users
of MediaWiki. Download links are given at the end of this email.

* Mozilla, and other developers, reported a full path disclosure in
MediaWiki, when an invalid language is specified in ResourceLoader
<https://bugzilla.wikimedia.org/show_bug.cgi?id=46332>

* An internal review found several API modules allowed anti-CSRF tokens to
be accessed via JSONP.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=49090>

* Andreas Peetz reported an issue with the MediaWiki API where an invalid
property name could be used for XSS with older versions of Internet
Explorer.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=52746>


Additionally, the following extensions have been updated to fix security
issues:

* CentralAuth: An internal review found an authentication regression that
allowed an attacker to bypass authentication
<https://bugzilla.wikimedia.org/show_bug.cgi?id=52338>

* SyntaxHighlight_GeSHi: Mateusz Goik reported an XSS in the included
example.php script
<https://bugzilla.wikimedia.org/show_bug.cgi?id=49070>

* CheckUser: Alex Monk reported and fixed that CheckUser didn't require
anti-CSRF tokens for checking users
<https://bugzilla.wikimedia.org/show_bug.cgi?id=45019>

* Wikibase: Liangent reported and fixed an XSS
<https://bugzilla.wikimedia.org/show_bug.cgi?id=53472>

* LiquidThreads: Alex Monk reported and fixed an XSS
<https://bugzilla.wikimedia.org/show_bug.cgi?id=53320>



Full release notes for 1.21.2:
<https://www.mediawiki.org/wiki/Release_notes/1.21>

Full release notes for 1.20.7:
<https://www.mediawiki.org/wiki/Release_notes/1.20>

Full release notes for 1.19.8:
<https://www.mediawiki.org/wiki/Release_notes/1.19>

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>


**********************************************************************
   1.21.2
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.tar.gz

Patch to previous version (1.21.1):
http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.21/mediawiki-core-1.21.2.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
   1.20.7
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.tar.gz

Patch to previous version (1.20.6):
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-core-1.20.7.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
   1.19.8
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.tar.gz

Patch to previous version (1.19.7):
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-core-1.19.8.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
   Extension:CentralAuth
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:CentralAuth

**********************************************************************
   Extension:SyntaxHighlight_GeSHi
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:SyntaxHighlight_GeSHi

**********************************************************************
   Extension:CheckUser
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:CheckUser

**********************************************************************
   Extension:Wikibase
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:Wikibase

**********************************************************************
   Extension:LiquidThreads
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:LiquidThreads"


Reproducible: 

Steps to Reproduce:
David Walser 2013-09-04 14:31:36 CEST

Version: 2 => Cauldron
Assignee: bugsquad => luigiwalser
Whiteboard: (none) => MGA3TOO, MGA2TOO

Comment 1 David Walser 2013-09-04 16:39:42 CEST 
Updated packages uploaded for Mageia 2, Mageia 3, and Cauldron.

I don't believe we have any of the extensions mentioned packaged.

I'll post an advisory once the CVEs have been assigned.  It can be tested now.

References:
http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html
https://www.mediawiki.org/wiki/Release_notes/1.20
========================================
Updated packages in core/updates_testing:
========================================
mediawiki-1.20.7-1.mga2
mediawiki-mysql-1.20.7-1.mga2
mediawiki-pgsql-1.20.7-1.mga2
mediawiki-sqlite-1.20.7-1.mga2
mediawiki-1.20.7-1.mga3
mediawiki-mysql-1.20.7-1.mga3
mediawiki-pgsql-1.20.7-1.mga3
mediawiki-sqlite-1.20.7-1.mga3

from SRPMS:
mediawiki-1.20.7-1.mga2.src.rpm
mediawiki-1.20.7-1.mga3.src.rpm

CC: (none) => luigiwalser
Version: Cauldron => 3
Assignee: luigiwalser => qa-bugs
Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO

David Walser 2013-09-04 16:39:56 CEST

Summary: multiple vulnerabilities in mediawiki => mediawiki new security issues fixed in 1.20.7

Comment 2 David Walser 2013-09-05 18:41:14 CEST 
Advisory:
========================

Updated mediawiki packages fix security vulnerabilities:

Full path disclosure in MediaWiki before 1.20.7, when an invalid language is
specified in ResourceLoader (CVE-2013-4301).

Several API modules in MediaWiki before 1.20.7 allowed anti-CSRF tokens to be
accessed via JSONP (CVE-2013-4302).

An issue with the MediaWiki API in MediaWiki before 1.20.7 where an invalid
property name could be used for XSS with older versions of Internet Explorer
(CVE-2013-4303).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4301
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4302
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4303
http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html
https://www.mediawiki.org/wiki/Release_notes/1.20
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.20.7-1.mga2
mediawiki-mysql-1.20.7-1.mga2
mediawiki-pgsql-1.20.7-1.mga2
mediawiki-sqlite-1.20.7-1.mga2
mediawiki-1.20.7-1.mga3
mediawiki-mysql-1.20.7-1.mga3
mediawiki-pgsql-1.20.7-1.mga3
mediawiki-sqlite-1.20.7-1.mga3

from SRPMS:
mediawiki-1.20.7-1.mga2.src.rpm
mediawiki-1.20.7-1.mga3.src.rpm
Comment 3 Dave Hodgins 2013-09-06 01:46:24 CEST 
Testing complete both arches, both releases and advisory committed to svn.

Someone from the sysadmin team please push 11157.adv to updates.

Keywords: (none) => validated_update
Whiteboard: MGA2TOO => MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 4 Oden Eriksson 2013-09-06 09:36:46 CEST 
http://www.openwall.com/lists/oss-security/2013/09/05/5

"Top posting because I'm lazy

CVE-2013-4301 MediaWiki full path disclosure in MediaWiki 46332
CVE-2013-4302 MediaWiki CSRF token access 49090
CVE-2013-4303 MediaWiki XSS with IE 52746
CVE-2013-4304 MediaWiki CentralAuth auth bypass
CVE-2013-4305 MediaWiki SyntaxHighlight_GeSHi XSS
CVE-2013-4306 MediaWiki CheckUser CSRF bypass
CVE-2013-4307 MediaWiki Wikibase XSS
CVE-2013-4308 MediaWiki LiquidThreads XSS"
Comment 5 David Walser 2013-09-06 12:11:39 CEST 
(In reply to Oden Eriksson from comment #4)
> http://www.openwall.com/lists/oss-security/2013/09/05/5
> 
> "Top posting because I'm lazy
> 
> CVE-2013-4301 MediaWiki full path disclosure in MediaWiki 46332
> CVE-2013-4302 MediaWiki CSRF token access 49090
> CVE-2013-4303 MediaWiki XSS with IE 52746
> CVE-2013-4304 MediaWiki CentralAuth auth bypass
> CVE-2013-4305 MediaWiki SyntaxHighlight_GeSHi XSS
> CVE-2013-4306 MediaWiki CheckUser CSRF bypass
> CVE-2013-4307 MediaWiki Wikibase XSS
> CVE-2013-4308 MediaWiki LiquidThreads XSS"

Yes I saw that, but like I said, I don't believe we're shipping the plugins for those other CVEs.
David Walser 2013-09-13 17:42:45 CEST

URL: http://www.openwall.com/lists/oss-security/2013/09/04/5 => http://lwn.net/Vulnerabilities/566715/

Comment 6 Nicolas Vigier 2013-09-13 22:22:04 CEST 
http://advisories.mageia.org/MGASA-2013-0276.html

Status: NEW => RESOLVED
CC: (none) => boklm
Resolution: (none) => FIXED

Nicolas Vigier 2014-05-08 18:04:29 CEST

CC: boklm => (none)