Bug 13477 - mediawiki new security issue fixed upstream in 1.22.7
Summary: mediawiki new security issue fixed upstream in 1.22.7
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/601574/
Whiteboard: MGA3TOO MGA3-64-OK MGA3-32-OK MGA4-64...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-06-03 15:53 CEST by David Walser
Modified: 2014-06-07 15:53 CEST (History)
3 users (show)

See Also:
Source RPM: mediawiki-1.22.6-1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-06-03 15:53:52 CEST
Upstream has announced MediaWiki 1.22.7 on May 27:
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-May/000151.html

It fixes one security issue.  A CVE has been requested for this:
http://openwall.com/lists/oss-security/2014/06/03/7

I'll update the advisory when a CVE is issued.

Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated mediawiki packages fix security vulnerability:

XSS vulnerability in MediaWiki before 1.22.7, due to usernames on
Special:PasswordReset being parsed as wikitext.  The username on
Special:PasswordReset can be supplied by anyone and will be parsed with
wgRawHtml enabled.  Since Special:PasswordReset is whitelisted by default on
private wikis, this could potentially lead to an XSS crossing a privilege
boundary.

References:
https://bugzilla.wikimedia.org/show_bug.cgi?id=65501
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-May/000151.html
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.22.7-1.mga3
mediawiki-mysql-1.22.7-1.mga3
mediawiki-pgsql-1.22.7-1.mga3
mediawiki-sqlite-1.22.7-1.mga3
mediawiki-1.22.7-1.mga4
mediawiki-mysql-1.22.7-1.mga4
mediawiki-pgsql-1.22.7-1.mga4
mediawiki-sqlite-1.22.7-1.mga4

from SRPMS:
mediawiki-1.22.7-1.mga3.src.rpm
mediawiki-1.22.7-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-06-03 15:53:58 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2014-06-03 17:04:59 CEST
Running fine on our production wiki at work (Mageia 4 i586).
Comment 2 David Walser 2014-06-04 17:23:59 CEST
CVE-2014-3966 assigned:
http://openwall.com/lists/oss-security/2014/06/04/15

Advisory:
========================

Updated mediawiki packages fix security vulnerability:

XSS vulnerability in MediaWiki before 1.22.7, due to usernames on
Special:PasswordReset being parsed as wikitext.  The username on
Special:PasswordReset can be supplied by anyone and will be parsed with
wgRawHtml enabled.  Since Special:PasswordReset is whitelisted by default on
private wikis, this could potentially lead to an XSS crossing a privilege
boundary (CVE-2014-3966).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3966
https://bugzilla.wikimedia.org/show_bug.cgi?id=65501
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-May/000151.html
http://openwall.com/lists/oss-security/2014/06/04/15
Comment 3 William Murphy 2014-06-06 02:01:30 CEST
updated to mediawiki 1.22.7 on Mageia 3 i586, Mageia 3 x86_64, Mageia 4 i586 and Mageia 4 x86_64.

Before updating, followed these steps:
  * added '$wgRawHtml = 1;' to LocalSettings.php
  * loaded the Special:PasswordReset page as an anonymous user.
  * Entered into the Username field:
    <html><script>alert('gotcha');</script></html>
  * Clicked on 'Email new password'.

The javascript was executed when the error message was displayed, since it tries to include the username and the alert popped up for each release.

After updating to 1.22.7 on each, no more alerts and the html is safely displayed as the user name in the error message.

Normal functions like file uploads, edit/add pages still work as they should.

------------------------------------------
Update validated.
Thanks.

Advisory:

CVE-2014-3966: See Comment 2.
SRPM: mediawiki-1.22.6-1.mga4.src.rpm

Could sysadmin please push from core/updates_testing to core/updates.

Thank you!
------------------------------------------

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs, warrendiogenese
Whiteboard: MGA3TOO => MGA3TOO MGA3-64-OK MGA3-32-OK MGA4-64-OK MGA4-32-OK

Comment 4 Thomas Backlund 2014-06-06 08:29:36 CEST
advisory added.

Update pushed:
http://advisories.mageia.org/MGASA-2014-0253.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED
Whiteboard: MGA3TOO MGA3-64-OK MGA3-32-OK MGA4-64-OK MGA4-32-OK => MGA3TOO MGA3-64-OK MGA3-32-OK MGA4-64-OK MGA4-32-OK advisory

David Walser 2014-06-07 15:53:17 CEST

URL: (none) => http://lwn.net/Vulnerabilities/601574/


Note You need to log in before you can comment on or make changes to this bug.