Upstream has announced version 1.23.2 on July 30: http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-July/000157.html CVE and/or CVE information has been requested: http://openwall.com/lists/oss-security/2014/07/31/9 Once that message receives a response I'll post an actual advisory. For now, see the upstream release announcement. Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron. Updated packages in core/updates_testing: ======================== mediawiki-1.23.2-1.mga3 mediawiki-mysql-1.23.2-1.mga3 mediawiki-pgsql-1.23.2-1.mga3 mediawiki-sqlite-1.23.2-1.mga3 mediawiki-1.23.2-1.mga4 mediawiki-mysql-1.23.2-1.mga4 mediawiki-pgsql-1.23.2-1.mga4 mediawiki-sqlite-1.23.2-1.mga4 from SRPMS: mediawiki-1.23.2-1.mga3.src.rpm mediawiki-1.23.2-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Procedure: https://wiki.mageia.org/en/QA_procedure:Mediawiki
CC: (none) => remiWhiteboard: MGA3TOO => MGA3TOO has_procedure
Working fine on our production wiki at work (Mageia 4 i586).
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-32-OK
Tested on x86_64 with MySQL backend using the following procedures: https://wiki.mageia.org/en/QA_procedure:Mediawiki Successful install with no errors. Played around with it for a while and still I also tested the following bug from the previous version: https://bugzilla.wikimedia.org/show_bug.cgi?id=66608 Looks like it's fixed. Doesn't try to XSS, just redirects to your index.
CC: (none) => markkuehnWhiteboard: MGA3TOO has_procedure MGA4-32-OK => MGA3TOO has_procedure MGA4-32-OK, MGA4-64-OK
Tested updating and creating new MediaWiki 1.23.2 instances using MySQL, PostgreSQL and Sqlite on Mageia 3 i586, Mageia 3 x86_64, Mageia 4 i586 and Mageia 4 x86_64. Before updating, tried one PoC: 1. Tested for JSONP injection MediaWiki bug 38187 (CVE-2014-4671). Requesting .../api.php?action=query&format=json&callback=pwned from the wiki's returned 'pwned([])'. Had 'pwned' been a cleverly crafted embedded SWF, converted to only alphanumeric characters in order to abuse JSONP endpoints, sensitive data could be obtained from this server by it using GET requests and sent to an outside server using POSTs. After updating to 1.23.2 and creating new instances, the request returned '/**/pwned([])â, which starts with illegal characters, thus disabling the exploit. I didnât test bug 66608. I seems xpdf-tools in only available from outside sources. Bug 65778 is restricted, so didnât test that either. All database backends function as expected. No problems creating new pages or uploading images. All is well and normal. ------------------------------------------ Update validated. Thanks. Advisory: This update provides a number of bug and security fixes. CVEs Pending. SRPM: mediawiki-1.23.1-1.mga4.src.rpm Could sysadmin please push from core/updates_testing to core/updates. Thank you! ------------------------------------------
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs, warrendiogeneseWhiteboard: MGA3TOO has_procedure MGA4-32-OK, MGA4-64-OK => MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK
Advisory: ======================== Updated mediawiki packages fix security vulnerabilities: MediaWiki before 1.23.2 is vulnerable to JSONP injection in Flash, XSS in mediawiki.page.image.pagination.js, and clickjacking between OutputPage and ParserOutput. This update provides MediaWiki 1.23.2, fixing these and other issues. References: http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-July/000157.html
Advisory uploaded.
Whiteboard: MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK => MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK advisory
Update pushed. http://advisories.mageia.org/MGASA-2014-0309.html
Status: NEW => RESOLVEDCC: (none) => mageiaResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/607784/
CVEs have finally been assigned: http://openwall.com/lists/oss-security/2014/08/14/5 Updated advisory. Advisory: ======================== Updated mediawiki packages fix security vulnerabilities: MediaWiki before 1.23.2 is vulnerable to JSONP injection in Flash (CVE-2014-5241), XSS in mediawiki.page.image.pagination.js (CVE-2014-5242), and clickjacking between OutputPage and ParserOutput (CVE-2014-5243). This update provides MediaWiki 1.23.2, fixing these and other issues. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5241 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5242 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5243 http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-July/000157.html http://openwall.com/lists/oss-security/2014/08/14/5
Advisory updated.
Debian has issued an advisory for this on August 23: https://www.debian.org/security/2014/dsa-3011 LWN reference with the CVEs: http://lwn.net/Vulnerabilities/609501/