Bug 13833

Procedure: https://wiki.mageia.org/en/QA_procedure:Mediawiki

CC: (none) => remi
Whiteboard: MGA3TOO => MGA3TOO has_procedure

Working fine on our production wiki at work (Mageia 4 i586).

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-32-OK

Tested on x86_64 with MySQL backend using the following procedures:

https://wiki.mageia.org/en/QA_procedure:Mediawiki

Successful install with no errors.  Played around with it for a while and still

I also tested the following bug from the previous version: https://bugzilla.wikimedia.org/show_bug.cgi?id=66608

Looks like it's fixed.  Doesn't try to XSS, just redirects to your index.

CC: (none) => markkuehn
Whiteboard: MGA3TOO has_procedure MGA4-32-OK => MGA3TOO has_procedure MGA4-32-OK, MGA4-64-OK

Tested updating and creating new MediaWiki 1.23.2 instances using MySQL, PostgreSQL and Sqlite on Mageia 3 i586, Mageia 3 x86_64, Mageia 4 i586 and Mageia 4 x86_64.

Before updating, tried one PoC:

1. Tested for JSONP injection MediaWiki bug 38187 (CVE-2014-4671).

Requesting .../api.php?action=query&format=json&callback=pwned from the wiki's returned 'pwned([])'.

Had 'pwned' been a cleverly crafted embedded SWF, converted to only alphanumeric characters in order to abuse JSONP endpoints, sensitive data could be obtained from this server by it using GET requests and sent to an outside server using POSTs.

After updating to 1.23.2 and creating new instances, the request returned '/**/pwned([])â, which starts with illegal characters, thus disabling the exploit.

I didnât test bug 66608. I seems xpdf-tools in only available from outside sources. Bug 65778 is restricted, so didnât test that either.

All database backends function as expected. No problems creating new pages or uploading images. All is well and normal.


------------------------------------------
Update validated.
Thanks.

Advisory:
This update provides a number of bug and security fixes. CVEs Pending.

SRPM: mediawiki-1.23.1-1.mga4.src.rpm

Could sysadmin please push from core/updates_testing to core/updates.

Thank you!
------------------------------------------

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs, warrendiogenese
Whiteboard: MGA3TOO has_procedure MGA4-32-OK, MGA4-64-OK => MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK

Advisory:
========================

Updated mediawiki packages fix security vulnerabilities:

MediaWiki before 1.23.2 is vulnerable to JSONP injection in Flash, XSS in
mediawiki.page.image.pagination.js, and clickjacking between OutputPage and
ParserOutput.

This update provides MediaWiki 1.23.2, fixing these and other issues.

References:
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-July/000157.html

Advisory uploaded.

Whiteboard: MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK => MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK advisory

Update pushed.

http://advisories.mageia.org/MGASA-2014-0309.html

Status: NEW => RESOLVED
CC: (none) => mageia
Resolution: (none) => FIXED

CVEs have finally been assigned:
http://openwall.com/lists/oss-security/2014/08/14/5

Updated advisory.

Advisory:
========================

Updated mediawiki packages fix security vulnerabilities:

MediaWiki before 1.23.2 is vulnerable to JSONP injection in Flash
(CVE-2014-5241), XSS in mediawiki.page.image.pagination.js (CVE-2014-5242),
and clickjacking between OutputPage and ParserOutput (CVE-2014-5243).

This update provides MediaWiki 1.23.2, fixing these and other issues.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5241
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5242
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5243
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-July/000157.html
http://openwall.com/lists/oss-security/2014/08/14/5

Advisory updated.

Debian has issued an advisory for this on August 23:
https://www.debian.org/security/2014/dsa-3011

LWN reference with the CVEs:
http://lwn.net/Vulnerabilities/609501/