CVEs have been issued for three security issues fixed in MediaWiki 1.22.3: http://openwall.com/lists/oss-security/2014/03/01/2 This version was announced on February 28: http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-February/000141.html Reproducible: Steps to Reproduce:
Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated mediawiki packages fix security vulnerabilities: MediaWiki before 1.22.3 does not block unsafe namespaces, such as a W3C XHTML namespace, in uploaded SVG files. Some client software may use these namespaces in a way that results in XSS. This was fixed by disallowing uploading SVG files using non-whitelisted namespaces (CVE-2014-2242). MediaWiki before 1.22.3 performs token comparison that may be vulnerable to timing attacks. This was fixed by making token comparison use constant time (CVE-2014-2243). MediaWiki before 1.22.3 could allow an attacker to perform XSS attacks, due to flaw with link handling in api.php. This was fixed such that it won't find links in the middle of api.php links (CVE-2014-2244). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2242 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2243 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2244 http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-February/000141.html http://openwall.com/lists/oss-security/2014/03/01/2 ======================== Updated packages in core/updates_testing: ======================== mediawiki-1.22.3-1.mga3 mediawiki-mysql-1.22.3-1.mga3 mediawiki-pgsql-1.22.3-1.mga3 mediawiki-sqlite-1.22.3-1.mga3 mediawiki-1.22.3-1.mga4 mediawiki-mysql-1.22.3-1.mga4 mediawiki-pgsql-1.22.3-1.mga4 mediawiki-sqlite-1.22.3-1.mga4 from SRPMS: mediawiki-1.22.3-1.mga3.src.rpm mediawiki-1.22.3-1.mga4.src.rpm
URL: (none) => qa-bugs@ml.mageia.orgVersion: Cauldron => 4Source RPM: mediawiki-1.22.2-2.mga5.src.rpm => mediawiki-1.22.2-3.mga5.src.rpmWhiteboard: (none) => MGA3TOO
I did it again :o( QA is not a URL. Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated mediawiki packages fix security vulnerabilities: MediaWiki before 1.22.3 does not block unsafe namespaces, such as a W3C XHTML namespace, in uploaded SVG files. Some client software may use these namespaces in a way that results in XSS. This was fixed by disallowing uploading SVG files using non-whitelisted namespaces (CVE-2014-2242). MediaWiki before 1.22.3 performs token comparison that may be vulnerable to timing attacks. This was fixed by making token comparison use constant time (CVE-2014-2243). MediaWiki before 1.22.3 could allow an attacker to perform XSS attacks, due to flaw with link handling in api.php. This was fixed such that it won't find links in the middle of api.php links (CVE-2014-2244). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2242 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2243 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2244 http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-February/000141.html http://openwall.com/lists/oss-security/2014/03/01/2 ======================== Updated packages in core/updates_testing: ======================== mediawiki-1.22.3-1.mga3 mediawiki-mysql-1.22.3-1.mga3 mediawiki-pgsql-1.22.3-1.mga3 mediawiki-sqlite-1.22.3-1.mga3 mediawiki-1.22.3-1.mga4 mediawiki-mysql-1.22.3-1.mga4 mediawiki-pgsql-1.22.3-1.mga4 mediawiki-sqlite-1.22.3-1.mga4 from SRPMS: mediawiki-1.22.3-1.mga3.src.rpm mediawiki-1.22.3-1.mga4.src.rpm
URL: qa-bugs@ml.mageia.org => (none)Assignee: bugsquad => qa-bugs
Up and running just fine on my production wiki at work (Mageia 3 i586).
possible PoC? https://bugzilla.wikimedia.org/show_bug.cgi?id=60771
CC: (none) => marc.lattemann
Poc does not work so testing updating installed wiki and installation of new wiki. Tested successfully on Mageia 4 32bit for sqlite, mysql and postgresql
Whiteboard: MGA3TOO => MGA3TOO MGA4-32-OK
Tested successfully on Mageia 4 64bit for sqlite, mysql and postgresql
Whiteboard: MGA3TOO MGA4-32-OK => MGA3TOO MGA4-32-OK MGA4-64-OK
Advisory from comment 2 uploaded.
Whiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK => MGA3TOO advisory MGA4-32-OK MGA4-64-OK
Testing complete mga3 64 mysql, pgsql & sqlite Installed, configured, saved LocalSettings.php to /etc/mediawiki/ & browsed the new wiki. Updated and confirmed the Mediawiki Updater runs. Preparing... ### 1/2: mediawiki-mysql ### 2/2: mediawiki ### MediaWiki 1.22.3 Updater Going to run database updates for my_wiki Depending on the size of your database this may take a while! ...have ipb_id field in ipblocks table. ...have ipb_expiry field in ipblocks table. ...already have interwiki table ...indexes seem up to 20031107 standards. ...hitcounter table already exists. ...etc Wiki is still ok after the update. If installing remotely it's necessary to alter the two 'Require local' lines in /etc/httpd/conf/sites.d/mediawiki.conf to something less restrictive eg. 'Require all granted' and then reload httpd service. Remember to delete /etc/mediawiki/LocalSettings.php between installations for the various databases.
Whiteboard: MGA3TOO advisory MGA4-32-OK MGA4-64-OK => MGA3TOO advisory mga3-64-ok MGA4-32-OK MGA4-64-OK
As comment 3 indicates it's been tested on Mageia 3 i586, I'll go ahead and validate the update. Someone from the sysadmin team please push 12931.adv to updates.
Keywords: (none) => validated_updateWhiteboard: MGA3TOO advisory mga3-64-ok MGA4-32-OK MGA4-64-OK => MGA3TOO advisory mga3-64-ok MGA4-32-OK MGA4-64-OK mga3-32-okCC: (none) => davidwhodgins, sysadmin-bugs
tested for mga3 32bit update of existing and installation of new wiki for sqlite, mysql and postgresql. following issue found in the journalctrl log: Mar 07 20:04:06 MGA3_32bit suhosin[4128]: ALERT - script tried to disable memory_limit by setting it to a negative value -1 bytes which is not allowed (attacker 'REMOTE_ADDR not set', file '/usr/share/mediawiki/maintenance/Maintenance.php', line 555) I see, Dave has already validated it :)
Update pushed: http://advisories.mageia.org/MGASA-2014-0124.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
(In reply to Marc Lattemann from comment #10) > tested for mga3 32bit update of existing and installation of new wiki for > sqlite, mysql and postgresql. > > following issue found in the journalctrl log: > Mar 07 20:04:06 MGA3_32bit suhosin[4128]: ALERT - script tried to disable > memory_limit by setting it to a negative value -1 bytes which is not allowed > (attacker 'REMOTE_ADDR not set', file > '/usr/share/mediawiki/maintenance/Maintenance.php', line 555) Just in case anyone's wondering about that, we discussed this on IRC. I'm glad Marc pointed that out, because we like to deal with suhosin errors where we can. We can often add php_flag/value settings to the apache config file to allow the things the software normally does. Their script really shouldn't be trying to disable the memory_limit completely though, so they'd need to fix that upstream before we could do anything about it downstream.
URL: (none) => http://lwn.net/Vulnerabilities/590191/