Upstream has announced version 1.23.4 on September 24: https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-September/000161.html A CVE has been requested: http://openwall.com/lists/oss-security/2014/09/26/12 Once that message receives a response I'll post an actual advisory. For now, see the upstream release announcement. I've checked it into SVN for Mageia 3, Mageia 4, and Cauldron, and sent a freeze push request. Reproducible: Steps to Reproduce:
Debian has issued an advisory for this today (September 26): https://www.debian.org/security/2014/dsa-3036
URL: (none) => http://lwn.net/Vulnerabilities/613456/Whiteboard: (none) => MGA3TOO
This has been assigned CVE-2014-7199: http://openwall.com/lists/oss-security/2014/09/27/2 Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated mediawiki packages fix security vulnerability: MediaWiki before 1.23.4 is vulnerable to cross-site scripting due to JavaScript injection via CSS in uploaded SVG files (CVE-2014-7199). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7199 https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-September/000161.html https://www.debian.org/security/2014/dsa-3036 ======================== Updated packages in core/updates_testing: ======================== mediawiki-1.23.4-1.mga3 mediawiki-mysql-1.23.4-1.mga3 mediawiki-pgsql-1.23.4-1.mga3 mediawiki-sqlite-1.23.4-1.mga3 mediawiki-1.23.4-1.mga4 mediawiki-mysql-1.23.4-1.mga4 mediawiki-pgsql-1.23.4-1.mga4 mediawiki-sqlite-1.23.4-1.mga4 from SRPMS: mediawiki-1.23.4-1.mga3.src.rpm mediawiki-1.23.4-1.mga4.src.rpm
Assignee: bugsquad => qa-bugs
Procedure: https://wiki.mageia.org/en/QA_procedure:Mediawiki
CC: (none) => remiWhiteboard: MGA3TOO => MGA3TOO has_procedure
Testing in Mageia4-64 H/W Followed procedure as in Comment 3 - tested mediawiki with mediawiki-1.23.3 first In procedure, I just had to replace: # service httpd start by # systemctl enable httpd.service # systemctl start httpd.service and did the same with mysqld.service I set up a new wiki, made some changes and created two pages. All went well Then I installed testing update : mediawiki-1.23.4-1.mga4 from MCC Deleted the previous wiki -to delete wiki database, I had to give my MariaDb password (# mysql -uroot -pxxxxx) and reproduced the wiki set up, modifying and adding two new pages. All went well with updated package.
CC: (none) => olchal
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-64-OK
Working fine on our production wiki at work (Mageia 4 i586).
Whiteboard: MGA3TOO has_procedure MGA4-64-OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK
Testing on Mageia3 (and Mageia4) 32 & 64 bit using mysql, postgresql and sqlite backends. Updated and tested using each backend without problems for both archs. After testing updated MediaWiki, removed databases and tested web installs. Verifying security fix for MediaWiki bug 69008 https://bugzilla.wikimedia.org/show_bug.cgi?id=69008 Added svg to $wgFileExtensions and tried to upload the svg image listed in the bug: http://upload.wikimedia.org/wikipedia/test/e/e3/Webplatform.svg Before the update this image never fully loads, but other svg images, not refering to external urls, load fine. After the update the upload for the above image is refused with a warning: "This file contains HTML or script code that may be erroneously interpreted by a web browser." ------------------------------------------ Update validated. Thanks. Advisory: Enhance CSS filtering of third-party content in SVG files. Possible CVEs pending. SRPMS: mediawiki-1.23.4-1.mga3.src.rpm mediawiki-1.23.4-1.mga4.src.rpm Could sysadmin please push from core/updates_testing to core/updates. Thank you! ------------------------------------------
CC: (none) => sysadmin-bugs, warrendiogeneseKeywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-64-OK MGA3-32-OK
Note the actual advisory is in Comment 2, and still needs to be uploaded to SVN.
Blocks: (none) => 14212
Upstream has announced version 1.23.5 on October 1: https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-October/000163.html CVE request: http://www.openwall.com/lists/oss-security/2014/10/02/29 Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron. The new issue fixed in 1.23.5 is another XSS through CSS issue just like the issue fixed in 1.23.4. Please note this is a *preliminary* advisory, pending the CVE request (we'll replace the XXXX with the real CVE identifier once it's available). Advisory: ======================== Updated mediawiki packages fix security vulnerability: MediaWiki before 1.23.4 is vulnerable to cross-site scripting due to JavaScript injection via CSS in uploaded SVG files (CVE-2014-7199). MediaWiki before 1.23.5 is vulnerable to cross-site scripting due to JavaScript injection via user-specificed CSS in certain special pages (CVE-2014-XXXX). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7199 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-XXXX https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-September/000161.html https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-October/000163.html https://www.debian.org/security/2014/dsa-3036 ======================== Updated packages in core/updates_testing: ======================== mediawiki-1.23.5-1.mga3 mediawiki-mysql-1.23.5-1.mga3 mediawiki-pgsql-1.23.5-1.mga3 mediawiki-sqlite-1.23.5-1.mga3 mediawiki-1.23.5-1.mga4 mediawiki-mysql-1.23.5-1.mga4 mediawiki-pgsql-1.23.5-1.mga4 mediawiki-sqlite-1.23.5-1.mga4 from SRPMS: mediawiki-1.23.5-1.mga3.src.rpm mediawiki-1.23.5-1.mga4.src.rpm
Keywords: validated_update => (none)Blocks: 14212 => (none)Summary: mediawiki new security issue fixed upstream in 1.23.4 => mediawiki new security issues fixed upstream in 1.23.5Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-64-OK MGA3-32-OK => MGA3TOO has_procedure
*** Bug 14212 has been marked as a duplicate of this bug. ***
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-32-OK
CVE-2014-7295 has been assigned: http://openwall.com/lists/oss-security/2014/10/02/36 Advisory: ======================== Updated mediawiki packages fix security vulnerability: MediaWiki before 1.23.4 is vulnerable to cross-site scripting due to JavaScript injection via CSS in uploaded SVG files (CVE-2014-7199). MediaWiki before 1.23.5 is vulnerable to cross-site scripting due to JavaScript injection via user-specificed CSS in certain special pages (CVE-2014-7295). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7199 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7295 https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-September/000161.html https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-October/000163.html https://www.debian.org/security/2014/dsa-3036 http://openwall.com/lists/oss-security/2014/10/02/36
Testing on Mageia4-64 real H/W mediawiki 1.23.5 1.mga4 noarch mediawiki-pgsql 1.23.5 1.mga4 noarch Using procedure procedure found in Comment 3. Everything works as expected.
Whiteboard: MGA3TOO has_procedure MGA4-32-OK => MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK
Testing on Mageia3 (and Mageia4) 32 & 64 bit using mysql, postgresql and sqlite backends... again. Updated and tested using each backend without problems for both archs. After testing updated MediaWiki, removed databases and tested web installs. No PoC available, so only tried creating new pages and uploading images with no problems. Small note on the sqlite install: The mediawiki-sqlite package creates a directory for it's database, /var/lib/mediawiki, which is owned by apache, but the default given by the web installer is /var/www/data, which normally doesn't exist. I've been setting it to /var/lib/mediawiki, but the average user might not know to do this. We could patch the getGlobalDefaults function in /usr/share/mediawiki/includes/installer/SqliteInstaller.php so it points to /var/lib/mediawiki, change the mediawiki-sqlite spec file so it uses /var/www/data or just leave it like it is. Sorry for not mentioning this versions ago. ------------------------------------------ Update validated. Thanks. Advisory: See comment 8 above. SRPMS: mediawiki-1.23.5-1.mga3.src.rpm mediawiki-1.23.5-1.mga4.src.rpm Could sysadmin please push from core/updates_testing to core/updates. Thank you! ------------------------------------------
Forgot to update whiteboard and add validated_update keyword.
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK
I would say patch it William.
Advisory from comment 11 uploaded.
Whiteboard: MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK => MGA3TOO has_procedure advisory MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK
Debian has issued an advsiory for this on October 5: https://www.debian.org/security/2014/dsa-3046 LWN references for the CVEs: http://lwn.net/Vulnerabilities/615070/ http://lwn.net/Vulnerabilities/615069/ Updating the advisory with the DSA. Advisory: ======================== Updated mediawiki packages fix security vulnerability: MediaWiki before 1.23.4 is vulnerable to cross-site scripting due to JavaScript injection via CSS in uploaded SVG files (CVE-2014-7199). MediaWiki before 1.23.5 is vulnerable to cross-site scripting due to JavaScript injection via user-specificed CSS in certain special pages (CVE-2014-7295). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7199 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7295 https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-September/000161.html https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-October/000163.html https://www.debian.org/security/2014/dsa-3036 https://www.debian.org/security/2014/dsa-3046
Advisory updated on svn.
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0400.html
Status: NEW => RESOLVEDResolution: (none) => FIXED