Upstream has announced MediaWiki 1.22.7 on May 27: http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-May/000151.html It fixes one security issue. A CVE has been requested for this: http://openwall.com/lists/oss-security/2014/06/03/7 I'll update the advisory when a CVE is issued. Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated mediawiki packages fix security vulnerability: XSS vulnerability in MediaWiki before 1.22.7, due to usernames on Special:PasswordReset being parsed as wikitext. The username on Special:PasswordReset can be supplied by anyone and will be parsed with wgRawHtml enabled. Since Special:PasswordReset is whitelisted by default on private wikis, this could potentially lead to an XSS crossing a privilege boundary. References: https://bugzilla.wikimedia.org/show_bug.cgi?id=65501 http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-May/000151.html ======================== Updated packages in core/updates_testing: ======================== mediawiki-1.22.7-1.mga3 mediawiki-mysql-1.22.7-1.mga3 mediawiki-pgsql-1.22.7-1.mga3 mediawiki-sqlite-1.22.7-1.mga3 mediawiki-1.22.7-1.mga4 mediawiki-mysql-1.22.7-1.mga4 mediawiki-pgsql-1.22.7-1.mga4 mediawiki-sqlite-1.22.7-1.mga4 from SRPMS: mediawiki-1.22.7-1.mga3.src.rpm mediawiki-1.22.7-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Running fine on our production wiki at work (Mageia 4 i586).
CVE-2014-3966 assigned: http://openwall.com/lists/oss-security/2014/06/04/15 Advisory: ======================== Updated mediawiki packages fix security vulnerability: XSS vulnerability in MediaWiki before 1.22.7, due to usernames on Special:PasswordReset being parsed as wikitext. The username on Special:PasswordReset can be supplied by anyone and will be parsed with wgRawHtml enabled. Since Special:PasswordReset is whitelisted by default on private wikis, this could potentially lead to an XSS crossing a privilege boundary (CVE-2014-3966). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3966 https://bugzilla.wikimedia.org/show_bug.cgi?id=65501 http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-May/000151.html http://openwall.com/lists/oss-security/2014/06/04/15
updated to mediawiki 1.22.7 on Mageia 3 i586, Mageia 3 x86_64, Mageia 4 i586 and Mageia 4 x86_64. Before updating, followed these steps: * added '$wgRawHtml = 1;' to LocalSettings.php * loaded the Special:PasswordReset page as an anonymous user. * Entered into the Username field: <html><script>alert('gotcha');</script></html> * Clicked on 'Email new password'. The javascript was executed when the error message was displayed, since it tries to include the username and the alert popped up for each release. After updating to 1.22.7 on each, no more alerts and the html is safely displayed as the user name in the error message. Normal functions like file uploads, edit/add pages still work as they should. ------------------------------------------ Update validated. Thanks. Advisory: CVE-2014-3966: See Comment 2. SRPM: mediawiki-1.22.6-1.mga4.src.rpm Could sysadmin please push from core/updates_testing to core/updates. Thank you! ------------------------------------------
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs, warrendiogeneseWhiteboard: MGA3TOO => MGA3TOO MGA3-64-OK MGA3-32-OK MGA4-64-OK MGA4-32-OK
advisory added. Update pushed: http://advisories.mageia.org/MGASA-2014-0253.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXEDWhiteboard: MGA3TOO MGA3-64-OK MGA3-32-OK MGA4-64-OK MGA4-32-OK => MGA3TOO MGA3-64-OK MGA3-32-OK MGA4-64-OK MGA4-32-OK advisory
URL: (none) => http://lwn.net/Vulnerabilities/601574/