| Summary: | dokuwiki new security issues CVE-2011-3727 and CVE-2012-3354 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | minor | ||
| Priority: | Normal | CC: | davidwhodgins, sysadmin-bugs, tmb |
| Version: | 2 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/522072/ | ||
| Whiteboard: | MGA2-64-OK MGA2-32-OK | ||
| Source RPM: | dokuwiki-20120125-1.mga2.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2012-11-01 20:45:40 CET
David Walser
2012-11-01 20:45:47 CET
Whiteboard:
(none) =>
MGA2TOO Updated packages uploaded for Mageia 2 and Cauldron. Advisory: ======================== Updated dokuwiki package fixes security vulnerabilities: DokuWiki 2009-12-25c allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by lib/tpl/index.php and certain other files (CVE-2011-3727). A full path disclosure flaw was found in the way DokuWiki, a standards compliant, simple to use Wiki, performed sanitization of HTTP POST 'prefix' input value prior passing it to underlying PHP substr() routine, when the PHP error level has been enabled on the particular server. A remote attacker could use this flaw to obtain full path location of particular requested DokuWiki page by issuing a specially-crafted HTTP POST request (CVE-2012-3354). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3727 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3354 http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090899.html ======================== Updated packages in core/updates_testing: ======================== dokuwiki-20121013-1.mga2 from dokuwiki-20121013-1.mga2.src.rpm Version:
Cauldron =>
2 I'm testing this now. Can you confirm this includes the fix for CVE-2012-0283 mentioned in the fedora announcement? CC:
(none) =>
davidwhodgins Testing complete on Mageia 2 i586 and x86-64. As this update was tested with the new version of php, please push after, or at the same time, as the update validated in bug 8164. Could someone from the sysadmin team push the srpm dokuwiki-20121013-1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated dokuwiki package fixes security vulnerabilities: DokuWiki 2009-12-25c allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by lib/tpl/index.php and certain other files (CVE-2011-3727). A full path disclosure flaw was found in the way DokuWiki, a standards compliant, simple to use Wiki, performed sanitization of HTTP POST 'prefix' input value prior passing it to underlying PHP substr() routine, when the PHP error level has been enabled on the particular server. A remote attacker could use this flaw to obtain full path location of particular requested DokuWiki page by issuing a specially-crafted HTTP POST request (CVE-2012-3354). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3727 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3354 http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090899.html https://bugs.mageia.org/show_bug.cgi?id=7950 Keywords:
(none) =>
validated_update Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0362 Status:
NEW =>
RESOLVED |