MediaWiki has announced the release of version 1.20.8 on November 14: http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-November/000135.html It fixes a few security issues and a few bugs. Mageia 3 is also affected. The update has been committed in SVN and a freeze push has been requested. Fedora has issued an advisory for this on November 23: https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123011.html Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
URL: (none) => http://lwn.net/Vulnerabilities/575400/
Updated packages uploaded for Mageia 3 and Cauldron. Assigning to QA now. Does anyone know if the extra CVEs for the extensions mentioned in the upstream advisory are relevant? Are they part of the core mediawiki package? Due to this question, advisory to come later. ---------------------------------------- Updated packages in core/updates_testing: ---------------------------------------- mediawiki-1.20.8-1.mga3 mediawiki-mysql-1.20.8-1.mga3 mediawiki-pgsql-1.20.8-1.mga3 mediawiki-sqlite-1.20.8-1.mga3 from mediawiki-1.20.8-1.mga3.src.rpm
Version: Cauldron => 3Assignee: bugsquad => qa-bugsWhiteboard: MGA3TOO => (none)
The poc from https://bugzilla.wikimedia.org/show_bug.cgi?id=55332#c0 is not working here, so will just be testing that the updated version works.
CC: (none) => davidwhodgins
Created attachment 4574 [details] image of page created with the prior version of mediawiki
Created attachment 4575 [details] Image of page created with the updates testing version of mediawiki Both pages were created by pasting in <p style="font-size: 100px; background-image: url\b(https://www.google.com/images/srpr/logo6w.png)">A</p> taken from https://bugzilla.wikimedia.org/show_bug.cgi?id=55332#c0 As shown, with a page created with the updates testing version, the font-size is now being ignored. Is this intended? Note that both images are being displayed with the updates testing version. Identical results on both i586 and x86_64.
Whiteboard: (none) => feedback
Ignore comment 4. If I just put in <p style="font-size: 100px;">A</p> the font size is respected.
Whiteboard: feedback => MGA3-64-OK MGA3-32-OK
Just need an advisory for this one please David
Looking at the file list in the package, I don't believe those extensions are part of the package. Advisory: ======================== Updated mediawiki packages fix security vulnerabilities: Kevin Israel (Wikipedia user PleaseStand) identified and reported two vectors for injecting Javascript in CSS that bypassed MediaWiki's blacklist (CVE-2013-4567, CVE-2013-4568). Internal review while debugging a site issue discovered that MediaWiki and the CentralNotice extension were incorrectly setting cache headers when a user was autocreated, causing the user's session cookies to be cached, and returned to other users (CVE-2013-4572). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4567 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4568 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4572 http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-November/000135.html https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123011.html ======================== Updated packages in core/updates_testing: ======================== mediawiki-1.20.8-1.mga3 mediawiki-mysql-1.20.8-1.mga3 mediawiki-pgsql-1.20.8-1.mga3 mediawiki-sqlite-1.20.8-1.mga3 from mediawiki-1.20.8-1.mga3.src.rpm
Thanks David. Advisory uploaded. Validating Could sysadmin please push from 3 core/updates_testing to updates Thanks!
Keywords: (none) => validated_updateWhiteboard: MGA3-64-OK MGA3-32-OK => advisory MGA3-64-OK MGA3-32-OKCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0368.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED