| Summary: | mediawiki new security issues fixed upstream in 1.23.8 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | herman.viaene, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/627588/ | ||
| Whiteboard: | has_procedure advisory MGA4-64-OK MGA4-32-OK | ||
| Source RPM: | mediawiki-1.23.7-1.mga4.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-12-21 14:38:18 CET
Testing procedure: https://wiki.mageia.org/en/QA_procedure:Mediawiki Whiteboard:
(none) =>
has_procedure MGA4-64 on HP Probook 6555b Followed procedure as in Comment 1 (I did not create a wiki with the old packages) and did create a new wiki, edited the starting page end added a second page. CC:
(none) =>
herman.viaene I used the Postgres backend. MGA4-32 on Acer D620 Followed procedure as in Comment 1 (I did not create a wiki with the old packages), used Postgres as backend. I created a new wiki, edited the starting page end added a second page. Whiteboard:
has_procedure MGA4-64-OK =>
has_procedure MGA4-64-OK MGA-32-OK
claire robinson
2014-12-24 11:24:17 CET
Whiteboard:
has_procedure MGA4-64-OK MGA-32-OK =>
has_procedure MGA4-64-OK MGA4-32-OK Need an advisory for this one please David. Still no CVE assignments. Debian has issued an advisory for the first of the two issues on December 23: https://www.debian.org/security/2014/dsa-3110 Advisory: ======================== Updated mediawiki packages fix security vulnerabilities: In MediaWiki before 1.23.8, thumb.php outputs wikitext message as raw HTML, which could lead to cross-site scripting. Permission to edit MediaWiki namespace is required to exploit this. In MediaWiki before 1.23.8, a malicious site can bypass CORS restrictions in $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as part of its name. References: https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-December/000173.html URL:
(none) =>
http://lwn.net/Vulnerabilities/627588/ Validating. Advisory uploaded. Please push to updates Thanks Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0555.html Status:
NEW =>
RESOLVED MITRE has finally assigned CVEs: http://openwall.com/lists/oss-security/2015/01/03/13 Could someone update the advisory in SVN? Thanks. Advisory: ======================== Updated mediawiki packages fix security vulnerabilities: In MediaWiki before 1.23.8, thumb.php outputs wikitext message as raw HTML, which could lead to cross-site scripting. Permission to edit MediaWiki namespace is required to exploit this (CVE-2014-9475). In MediaWiki before 1.23.8, a malicious site can bypass CORS restrictions in $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as part of its name (CVE-2014-9476). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9475 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9476 https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-December/000173.html http://openwall.com/lists/oss-security/2015/01/03/13 LWN reference containing both issues: http://lwn.net/Vulnerabilities/628835/ |