Bug 13272 - mediawiki new security issue fixed upstream in 1.22.6
Summary: mediawiki new security issue fixed upstream in 1.22.6
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/597466/
Whiteboard: MGA3TOO MGA3-64-OK MGA3-32-OK MGA4-64...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-04-26 21:23 CEST by David Walser
Modified: 2014-05-08 17:50 CEST (History)
4 users (show)

See Also:
Source RPM: mediawiki-1.22.5-1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-04-26 21:23:10 CEST
Upstream has announced MediaWiki 1.22.6 on April 24:
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-April/000149.html

It fixes one security issue.  I haven't seen a CVE request for this.

Advisory:
========================

Updated mediawiki packages fix security vulnerability:

XSS vulnerability in MediaWiki before 1.22.6, where if the default sort key
is set to a string containing a script, the script will be executed when the
page is viewed using the info action.

References:
https://bugzilla.wikimedia.org/show_bug.cgi?id=63251
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-April/000149.html
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.22.6-1.mga3
mediawiki-mysql-1.22.6-1.mga3
mediawiki-pgsql-1.22.6-1.mga3
mediawiki-sqlite-1.22.6-1.mga3
mediawiki-1.22.6-1.mga4
mediawiki-mysql-1.22.6-1.mga4
mediawiki-pgsql-1.22.6-1.mga4
mediawiki-sqlite-1.22.6-1.mga4

from SRPMS:
mediawiki-1.22.6-1.mga3.src.rpm
mediawiki-1.22.6-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-04-26 21:23:17 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 William Murphy 2014-04-28 09:40:18 CEST
Testing on Mageia 3 i586 and x86_64, Mageia 4 i586 and x86_64

This update adds one line of code and changes the version number. Must be important.

Before the update, adding this template to any regular page:

{{DEFAULTSORT:<script>alert("Gotcha");</script>}}

Allows anyone clicking on 'Page information' link located on the sidebar to run the javascript inside the script tags, which pops up an alert in this case. 

After updating to mediawiki 1.22.6, the HTML is disabled and the javascript no longer runs on either archs for Mageia 3 & 4.

------------------------------------------
Update validated.
Thanks.

Advisory:
Listed above.

SRPMS: 
mediawiki-1.22.6-1.mga3.src.rpm
mediawiki-1.22.6-1.mga4.src.rpm

Re
Could sysadmin please push from core/updates_testing to core/updates.

Thank you!
------------------------------------------

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs, warrendiogenese
Whiteboard: MGA3TOO => MGA3TOO MGA3-64-OK MGA3-32-OK MGA4-64-OK MGA4-32-OK

Comment 2 Rémi Verschelde 2014-04-28 18:53:30 CEST
Advisory uploaded.

CC: (none) => remi
Whiteboard: MGA3TOO MGA3-64-OK MGA3-32-OK MGA4-64-OK MGA4-32-OK => MGA3TOO MGA3-64-OK MGA3-32-OK MGA4-64-OK MGA4-32-OK advisory

Comment 3 Damien Lallement 2014-04-28 20:17:38 CEST
http://advisories.mageia.org/MGASA-2014-0197.html

Status: NEW => RESOLVED
CC: (none) => mageia
Resolution: (none) => FIXED

David Walser 2014-04-30 16:25:05 CEST

URL: (none) => http://lwn.net/Vulnerabilities/596695/

Comment 4 David Walser 2014-05-07 22:35:20 CEST
The issue has CVE-2014-2853, which LWN created an entry for here:
http://lwn.net/Vulnerabilities/597466/

Would someone mind adding the CVE reference to the advisory in SVN?

Updated mediawiki packages fix security vulnerability:

XSS vulnerability in MediaWiki before 1.22.6, where if the default sort key
is set to a string containing a script, the script will be executed when the
page is viewed using the info action (CVE-2014-2853).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2853
https://bugzilla.wikimedia.org/show_bug.cgi?id=63251
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-April/000149.html
David Walser 2014-05-07 22:57:54 CEST

URL: http://lwn.net/Vulnerabilities/596695/ => http://lwn.net/Vulnerabilities/597466/

Comment 5 claire robinson 2014-05-08 17:50:04 CEST
Done. Anybody with svn access can do so.

Note You need to log in before you can comment on or make changes to this bug.