Bug 13110 - mediawiki new security issue fixed upstream in 1.22.5
Summary: mediawiki new security issue fixed upstream in 1.22.5
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/592953/
Whiteboard: MGA3TOO advisory MGA3-64-OK MGA3-32-O...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-03-28 14:34 CET by David Walser
Modified: 2014-04-03 16:11 CEST (History)
3 users (show)

See Also:
Source RPM: mediawiki-1.22.3-1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-03-28 14:34:19 CET
Upstream has announced MediaWiki 1.22.5 today (March 28):
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-March/000145.html

It fixes one security issue.  A CVE has been requested:
http://openwall.com/lists/oss-security/2014/03/28/1

I'll post an advisory once the CVE is available.

Updated packages in core/updates_testing:
========================================
mediawiki-1.22.5-1.mga3
mediawiki-mysql-1.22.5-1.mga3
mediawiki-pgsql-1.22.5-1.mga3
mediawiki-sqlite-1.22.5-1.mga3
mediawiki-1.22.5-1.mga4
mediawiki-mysql-1.22.5-1.mga4
mediawiki-pgsql-1.22.5-1.mga4
mediawiki-sqlite-1.22.5-1.mga4

from SRPMS:
mediawiki-1.22.5-1.mga3.src.rpm
mediawiki-1.22.5-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-03-28 14:34:26 CET

Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2014-03-28 14:38:09 CET
Working fine on my production wiki at work, Mageia 4 i586.
Comment 2 William Murphy 2014-03-30 13:31:01 CEST
Installed and set up mediawiki 1.22.5 using mysql, postgresql and sqlite on Mageia 4 x86_64 without problems.

Installed mediawiki-ldapauthentication extention and set up each to use ldap authentication. Very handy. A user created in any of the wikis can access all of them with the current setup.

Adding sqlite support to mediawiki-ldapauthentication required a simple patch. The mysql update schema can be used to create the sqlite table without error. 

Testing complete Mageia 4 x86_64 for mediawiki-1.22.5-1.mga4.src.rpm

CC: (none) => warrendiogenese
Source RPM: mediawiki-1.22.3-1.mga4.src.rpm => mediawiki-1.22.5-1.mga4.src.rpm
Whiteboard: MGA3TOO => MGA3TOO MGA4-64-OK

David Walser 2014-03-30 16:02:03 CEST

Source RPM: mediawiki-1.22.5-1.mga4.src.rpm => mediawiki-1.22.3-1.mga4.src.rpm

Comment 3 David Walser 2014-04-02 16:03:37 CEST
A CVE has finally been assigned:
http://openwall.com/lists/oss-security/2014/04/01/7

Advisory:
========================

Updated mediawiki packages fix security vulnerability:

Login CSRF issue in MediaWiki before 1.22.5 in Special:ChangePassword, whereby
a user can be logged into an attackers account without being aware of it,
allowing the attacker to track the user's activity (CVE-2014-2665).

MediaWiki has been updated to version 1.22.5, fixing this and other issues.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0015
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-March/000145.html
http://openwall.com/lists/oss-security/2014/04/01/7
Comment 4 William Murphy 2014-04-03 12:00:53 CEST
Installed instances of mediawiki 1.22.3 onto Mageia 4 i586, Mageia 3 i586 & x86_64 using mysql, postgresql and sqlite

Following the PoC at https://bugzilla.wikimedia.org/show_bug.cgi?id=62497, Created web page the user could be tricked into visiting that then brings up the mediawiki change password form. The form's user name and password belong to the attacker, but could be made to look very similar to that of the intended victim. The user then continues under the attackers account, leaving a trail in the mediawiki history the attacker can view later.

After upgrading to 1.22.5, instead of the change password form, an error is displayed: 

"There seems to be a problem with your login session; this action has been canceled as a precaution against session hijacking. Go back to the previous page, reload that page and then try again."

Set up mediawiki-ldapauthenticaion for all 12 instances using the same ldap server, then logged out/in and created articles, new accounts and uploaded files without problems.

Note: mediawiki-ldapauthenticaion doesn't support sqlite. I wrote a patch for that so I could test against it. 

Testing complete Mageia 3 i586, Mageia 3 x86_64, Mageia 4 i586, Mageia 4 x86_64, for the srpm mediawiki-1.22.3-1.mga4.src.rpm

------------------------------------------
Update validated.
Thanks.

Advisory:

CVE-2014-2665: See Comment 3.
SRPM: mediawiki-1.22.3-1.mga4.src.rpm

Could sysadmin please push from core/updates_testing to core/updates.

Thank you!
------------------------------------------

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA3TOO MGA4-64-OK => MGA3TOO MGA3-64-OK MGA3-32-OK MGA4-64-OK MGA4-32-OK

Comment 5 claire robinson 2014-04-03 15:12:47 CEST
Thanks William.

Advisory from comment 3 uploaded. Validating.

Whiteboard: MGA3TOO MGA3-64-OK MGA3-32-OK MGA4-64-OK MGA4-32-OK => MGA3TOO advisory MGA3-64-OK MGA3-32-OK MGA4-64-OK MGA4-32-OK

Comment 6 Damien Lallement 2014-04-03 15:30:13 CEST
http://advisories.mageia.org/MGASA-2014-0157.html

Status: NEW => RESOLVED
CC: (none) => mageia
Resolution: (none) => FIXED

David Walser 2014-04-03 16:11:44 CEST

URL: (none) => http://lwn.net/Vulnerabilities/592953/


Note You need to log in before you can comment on or make changes to this bug.