http://www.openwall.com/lists/oss-security/2013/09/04/5 "---------------------------- Original Message ---------------------------- Subject: [MediaWiki-announce] MediaWiki Security Release: 1.21.2, 1.20.7 and 1.19.8 From: "Chris Steipp" <csteipp@...imedia.org> Date: Tue, September 3, 2013 22:50 To: mediawiki-announce@...ts.wikimedia.org "MediaWiki-l" <mediawiki-l@...ts.wikimedia.org> "Wikimedia developers" <wikitech-l@...ts.wikimedia.org> -------------------------------------------------------------------------- I would like to announce the release of MediaWiki 1.21.2, 1.20.7 and 1.19.8. These releases fix 3 security related bugs that could affect users of MediaWiki. Download links are given at the end of this email. * Mozilla, and other developers, reported a full path disclosure in MediaWiki, when an invalid language is specified in ResourceLoader <https://bugzilla.wikimedia.org/show_bug.cgi?id=46332> * An internal review found several API modules allowed anti-CSRF tokens to be accessed via JSONP. <https://bugzilla.wikimedia.org/show_bug.cgi?id=49090> * Andreas Peetz reported an issue with the MediaWiki API where an invalid property name could be used for XSS with older versions of Internet Explorer. <https://bugzilla.wikimedia.org/show_bug.cgi?id=52746> Additionally, the following extensions have been updated to fix security issues: * CentralAuth: An internal review found an authentication regression that allowed an attacker to bypass authentication <https://bugzilla.wikimedia.org/show_bug.cgi?id=52338> * SyntaxHighlight_GeSHi: Mateusz Goik reported an XSS in the included example.php script <https://bugzilla.wikimedia.org/show_bug.cgi?id=49070> * CheckUser: Alex Monk reported and fixed that CheckUser didn't require anti-CSRF tokens for checking users <https://bugzilla.wikimedia.org/show_bug.cgi?id=45019> * Wikibase: Liangent reported and fixed an XSS <https://bugzilla.wikimedia.org/show_bug.cgi?id=53472> * LiquidThreads: Alex Monk reported and fixed an XSS <https://bugzilla.wikimedia.org/show_bug.cgi?id=53320> Full release notes for 1.21.2: <https://www.mediawiki.org/wiki/Release_notes/1.21> Full release notes for 1.20.7: <https://www.mediawiki.org/wiki/Release_notes/1.20> Full release notes for 1.19.8: <https://www.mediawiki.org/wiki/Release_notes/1.19> For information about how to upgrade, see <https://www.mediawiki.org/wiki/Manual:Upgrading> ********************************************************************** 1.21.2 ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.tar.gz Patch to previous version (1.21.1): http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.patch.gz GPG signatures: http://download.wikimedia.org/mediawiki/1.21/mediawiki-core-1.21.2.tar.gz.sig http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.tar.gz.sig http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** 1.20.7 ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.tar.gz Patch to previous version (1.20.6): http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.patch.gz GPG signatures: http://download.wikimedia.org/mediawiki/1.20/mediawiki-core-1.20.7.tar.gz.sig http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.tar.gz.sig http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** 1.19.8 ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.tar.gz Patch to previous version (1.19.7): http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.patch.gz GPG signatures: http://download.wikimedia.org/mediawiki/1.19/mediawiki-core-1.19.8.tar.gz.sig http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.tar.gz.sig http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** Extension:CentralAuth ********************************************************************** Information and Download: https://www.mediawiki.org/wiki/Extension:CentralAuth ********************************************************************** Extension:SyntaxHighlight_GeSHi ********************************************************************** Information and Download: https://www.mediawiki.org/wiki/Extension:SyntaxHighlight_GeSHi ********************************************************************** Extension:CheckUser ********************************************************************** Information and Download: https://www.mediawiki.org/wiki/Extension:CheckUser ********************************************************************** Extension:Wikibase ********************************************************************** Information and Download: https://www.mediawiki.org/wiki/Extension:Wikibase ********************************************************************** Extension:LiquidThreads ********************************************************************** Information and Download: https://www.mediawiki.org/wiki/Extension:LiquidThreads" Reproducible: Steps to Reproduce:
Version: 2 => CauldronAssignee: bugsquad => luigiwalserWhiteboard: (none) => MGA3TOO, MGA2TOO
Updated packages uploaded for Mageia 2, Mageia 3, and Cauldron. I don't believe we have any of the extensions mentioned packaged. I'll post an advisory once the CVEs have been assigned. It can be tested now. References: http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html https://www.mediawiki.org/wiki/Release_notes/1.20 ======================================== Updated packages in core/updates_testing: ======================================== mediawiki-1.20.7-1.mga2 mediawiki-mysql-1.20.7-1.mga2 mediawiki-pgsql-1.20.7-1.mga2 mediawiki-sqlite-1.20.7-1.mga2 mediawiki-1.20.7-1.mga3 mediawiki-mysql-1.20.7-1.mga3 mediawiki-pgsql-1.20.7-1.mga3 mediawiki-sqlite-1.20.7-1.mga3 from SRPMS: mediawiki-1.20.7-1.mga2.src.rpm mediawiki-1.20.7-1.mga3.src.rpm
CC: (none) => luigiwalserVersion: Cauldron => 3Assignee: luigiwalser => qa-bugsWhiteboard: MGA3TOO, MGA2TOO => MGA2TOO
Summary: multiple vulnerabilities in mediawiki => mediawiki new security issues fixed in 1.20.7
Advisory: ======================== Updated mediawiki packages fix security vulnerabilities: Full path disclosure in MediaWiki before 1.20.7, when an invalid language is specified in ResourceLoader (CVE-2013-4301). Several API modules in MediaWiki before 1.20.7 allowed anti-CSRF tokens to be accessed via JSONP (CVE-2013-4302). An issue with the MediaWiki API in MediaWiki before 1.20.7 where an invalid property name could be used for XSS with older versions of Internet Explorer (CVE-2013-4303). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4301 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4302 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4303 http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html https://www.mediawiki.org/wiki/Release_notes/1.20 ======================== Updated packages in core/updates_testing: ======================== mediawiki-1.20.7-1.mga2 mediawiki-mysql-1.20.7-1.mga2 mediawiki-pgsql-1.20.7-1.mga2 mediawiki-sqlite-1.20.7-1.mga2 mediawiki-1.20.7-1.mga3 mediawiki-mysql-1.20.7-1.mga3 mediawiki-pgsql-1.20.7-1.mga3 mediawiki-sqlite-1.20.7-1.mga3 from SRPMS: mediawiki-1.20.7-1.mga2.src.rpm mediawiki-1.20.7-1.mga3.src.rpm
Testing complete both arches, both releases and advisory committed to svn. Someone from the sysadmin team please push 11157.adv to updates.
Keywords: (none) => validated_updateWhiteboard: MGA2TOO => MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OKCC: (none) => davidwhodgins, sysadmin-bugs
http://www.openwall.com/lists/oss-security/2013/09/05/5 "Top posting because I'm lazy CVE-2013-4301 MediaWiki full path disclosure in MediaWiki 46332 CVE-2013-4302 MediaWiki CSRF token access 49090 CVE-2013-4303 MediaWiki XSS with IE 52746 CVE-2013-4304 MediaWiki CentralAuth auth bypass CVE-2013-4305 MediaWiki SyntaxHighlight_GeSHi XSS CVE-2013-4306 MediaWiki CheckUser CSRF bypass CVE-2013-4307 MediaWiki Wikibase XSS CVE-2013-4308 MediaWiki LiquidThreads XSS"
(In reply to Oden Eriksson from comment #4) > http://www.openwall.com/lists/oss-security/2013/09/05/5 > > "Top posting because I'm lazy > > CVE-2013-4301 MediaWiki full path disclosure in MediaWiki 46332 > CVE-2013-4302 MediaWiki CSRF token access 49090 > CVE-2013-4303 MediaWiki XSS with IE 52746 > CVE-2013-4304 MediaWiki CentralAuth auth bypass > CVE-2013-4305 MediaWiki SyntaxHighlight_GeSHi XSS > CVE-2013-4306 MediaWiki CheckUser CSRF bypass > CVE-2013-4307 MediaWiki Wikibase XSS > CVE-2013-4308 MediaWiki LiquidThreads XSS" Yes I saw that, but like I said, I don't believe we're shipping the plugins for those other CVEs.
URL: http://www.openwall.com/lists/oss-security/2013/09/04/5 => http://lwn.net/Vulnerabilities/566715/
http://advisories.mageia.org/MGASA-2013-0276.html
Status: NEW => RESOLVEDCC: (none) => boklmResolution: (none) => FIXED
CC: boklm => (none)