Bug 13833 - mediawiki new security issues fixed upstream in 1.23.2
Summary: mediawiki new security issues fixed upstream in 1.23.2
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/607784/
Whiteboard: MGA3TOO has_procedure MGA4-32-OK MGA4...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-07-31 22:46 CEST by David Walser
Modified: 2014-08-25 20:04 CEST (History)
5 users (show)

See Also:
Source RPM: mediawiki-1.23.1-1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-07-31 22:46:21 CEST
Upstream has announced version 1.23.2 on July 30:
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-July/000157.html

CVE and/or CVE information has been requested:
http://openwall.com/lists/oss-security/2014/07/31/9

Once that message receives a response I'll post an actual advisory.  For now, see the upstream release announcement.

Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Updated packages in core/updates_testing:
========================
mediawiki-1.23.2-1.mga3
mediawiki-mysql-1.23.2-1.mga3
mediawiki-pgsql-1.23.2-1.mga3
mediawiki-sqlite-1.23.2-1.mga3
mediawiki-1.23.2-1.mga4
mediawiki-mysql-1.23.2-1.mga4
mediawiki-pgsql-1.23.2-1.mga4
mediawiki-sqlite-1.23.2-1.mga4

from SRPMS:
mediawiki-1.23.2-1.mga3.src.rpm
mediawiki-1.23.2-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-07-31 22:46:27 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 Rémi Verschelde 2014-08-01 15:56:56 CEST
Procedure: https://wiki.mageia.org/en/QA_procedure:Mediawiki

CC: (none) => remi
Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 2 David Walser 2014-08-01 16:08:28 CEST
Working fine on our production wiki at work (Mageia 4 i586).

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-32-OK

Comment 3 Mark Kay 2014-08-03 08:14:26 CEST
Tested on x86_64 with MySQL backend using the following procedures:

https://wiki.mageia.org/en/QA_procedure:Mediawiki

Successful install with no errors.  Played around with it for a while and still

I also tested the following bug from the previous version: https://bugzilla.wikimedia.org/show_bug.cgi?id=66608

Looks like it's fixed.  Doesn't try to XSS, just redirects to your index.

CC: (none) => markkuehn
Whiteboard: MGA3TOO has_procedure MGA4-32-OK => MGA3TOO has_procedure MGA4-32-OK, MGA4-64-OK

Comment 4 William Murphy 2014-08-03 11:48:37 CEST
Tested updating and creating new MediaWiki 1.23.2 instances using MySQL, PostgreSQL and Sqlite on Mageia 3 i586, Mageia 3 x86_64, Mageia 4 i586 and Mageia 4 x86_64.

Before updating, tried one PoC:

1. Tested for JSONP injection MediaWiki bug 38187 (CVE-2014-4671).

Requesting .../api.php?action=query&format=json&callback=pwned from the wiki's returned 'pwned([])'.

Had 'pwned' been a cleverly crafted embedded SWF, converted to only alphanumeric characters in order to abuse JSONP endpoints, sensitive data could be obtained from this server by it using GET requests and sent to an outside server using POSTs.

After updating to 1.23.2 and creating new instances, the request returned '/**/pwned([])â, which starts with illegal characters, thus disabling the exploit.

I didnât test bug 66608. I seems xpdf-tools in only available from outside sources. Bug 65778 is restricted, so didnât test that either.

All database backends function as expected. No problems creating new pages or uploading images. All is well and normal.


------------------------------------------
Update validated.
Thanks.

Advisory:
This update provides a number of bug and security fixes. CVEs Pending.

SRPM: mediawiki-1.23.1-1.mga4.src.rpm

Could sysadmin please push from core/updates_testing to core/updates.

Thank you!
------------------------------------------

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs, warrendiogenese
Whiteboard: MGA3TOO has_procedure MGA4-32-OK, MGA4-64-OK => MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK

Comment 5 David Walser 2014-08-03 12:03:51 CEST
Advisory:
========================

Updated mediawiki packages fix security vulnerabilities:

MediaWiki before 1.23.2 is vulnerable to JSONP injection in Flash, XSS in
mediawiki.page.image.pagination.js, and clickjacking between OutputPage and
ParserOutput.

This update provides MediaWiki 1.23.2, fixing these and other issues.

References:
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-July/000157.html
Comment 6 Rémi Verschelde 2014-08-04 20:23:13 CEST
Advisory uploaded.

Whiteboard: MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK => MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK advisory

Comment 7 Colin Guthrie 2014-08-05 22:21:57 CEST
Update pushed.

http://advisories.mageia.org/MGASA-2014-0309.html

Status: NEW => RESOLVED
CC: (none) => mageia
Resolution: (none) => FIXED

David Walser 2014-08-06 21:45:26 CEST

URL: (none) => http://lwn.net/Vulnerabilities/607784/

Comment 8 David Walser 2014-08-14 13:41:40 CEST
CVEs have finally been assigned:
http://openwall.com/lists/oss-security/2014/08/14/5

Updated advisory.

Advisory:
========================

Updated mediawiki packages fix security vulnerabilities:

MediaWiki before 1.23.2 is vulnerable to JSONP injection in Flash
(CVE-2014-5241), XSS in mediawiki.page.image.pagination.js (CVE-2014-5242),
and clickjacking between OutputPage and ParserOutput (CVE-2014-5243).

This update provides MediaWiki 1.23.2, fixing these and other issues.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5241
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5242
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5243
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-July/000157.html
http://openwall.com/lists/oss-security/2014/08/14/5
Comment 9 Rémi Verschelde 2014-08-14 17:29:39 CEST
Advisory updated.
Comment 10 David Walser 2014-08-25 20:04:36 CEST
Debian has issued an advisory for this on August 23:
https://www.debian.org/security/2014/dsa-3011

LWN reference with the CVEs:
http://lwn.net/Vulnerabilities/609501/

Note You need to log in before you can comment on or make changes to this bug.