Bug 14807

Summary: dokuwiki new security issue CVE-2014-9253
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/627328/
Whiteboard: advisory MGA4-32-OK MGA4-64-OK
Source RPM: dokuwiki-20140929-1.1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-12-15 19:58:43 CET 
A CVE has been assigned for an issued fixed upstream in 20140929b:
http://openwall.com/lists/oss-security/2014/12/15/4

This was from a security hotfix:
https://www.dokuwiki.org/changes#release_2014-09-29_hrun

Mageia 4 is also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-12-15 19:58:52 CET

Whiteboard: (none) => MGA4TOO

Comment 1 Atilla ÖNTAŞ 2014-12-15 22:51:40 CET 
Updated and submitted to Cauldron. Will prepare an advisory for Mga4 soon.
Comment 2 Atilla ÖNTAŞ 2014-12-15 23:13:22 CET 
I have uploaded a updated dokuwiki package for Mageia 4.

Suggested advisory:
========================

Updated dokuwiki package fix a security vulnerability:

Our current dokuwiki-20140929-1.1.mga4 package uses dokuwiki-2014-09-29a source which allows swf (application/x-shockwave-flash) uploads by default. This may be used for Cross-site scripting (XSS) attack which enables attackers to inject client-side script into Web pages viewed by other users. (CVE-2014-9253).

This update uses dokuwiki-2014-09-29b hotfix source which disables swf uploads by default and fixes the issue.

References:
http://openwall.com/lists/oss-security/2014/12/15/4
http://security.szurek.pl/dokuwiki-20140929a-xss.html
https://www.dokuwiki.org/changes#release_2014-09-29_hrun
http://en.wikipedia.org/wiki/Cross-site_scripting
========================

Updated packages in core/updates_testing:
========================
dokuwiki-20140929-1.2.mga4

Source RPMs: 
dokuwiki-20140929-1.2.mga4.src.rpm

Version: Cauldron => 4
Assignee: tarakbumba => qa-bugs
Whiteboard: MGA4TOO => (none)

Comment 3 David Walser 2014-12-16 22:43:50 CET 
Works fine on Mageia 4 i586.

Whiteboard: (none) => MGA4-32-OK

Comment 4 Herman Viaene 2014-12-18 15:44:48 CET 
MGA4-64 on HP Probook 6555b
Dokuwiki Installer opens, I did notgo any further

CC: (none) => herman.viaene
Whiteboard: MGA4-32-OK => MGA4-32-OK MGA4-64-OK

Comment 5 claire robinson 2014-12-18 22:40:49 CET 
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Whiteboard: MGA4-32-OK MGA4-64-OK => advisory MGA4-32-OK MGA4-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2014-12-19 16:17:32 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0540.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 7 David Walser 2014-12-22 20:27:33 CET 
(In reply to Mageia Robot from comment #6)
> An update for this issue has been pushed to Mageia Updates repository.
> 
> http://advisories.mageia.org/MGASA-2014-0540.html

The title of that page spelled the package name incorrectly.

URL: (none) => http://lwn.net/Vulnerabilities/627328/