Upstream has released a new version on September 29: https://www.dokuwiki.org/changes As you can see there, details of the security issue are here: http://www.freelists.org/post/dokuwiki/Fwd-Dokuwiki-maybe-security-issue-Null-byte-poisoning-in-LDAP-authentication Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Updated for Cauldron and asked for freez push to Cauldron repositories.
Keywords: (none) => Triaged
I have uploaded a updated dokuwiki package for Mageia 3 and Mageia 4. Suggested advisory: ======================== Updated dokuwiki packages fix a security vulnerability: The issue is in how some software performs user authentication using LDAP servers in certain configurations. It affects a variety of applications, platforms and programming languages that make use of LDAP; PHP was one of them (up until recently). Since dokuwiki uses PHP and has the ability to authenticate users using PHP's LDAP extension, dokuwiki users may in turn be affected. This update provides fixed version of dokuwiki. References: https://www.dokuwiki.org/changes#release_2014-09-29_hrun http://www.freelists.org/post/dokuwiki/Fwd-Dokuwiki-maybe-security-issue-Null-byte-poisoning-in-LDAP-authentication ======================== Updated packages in core/updates_testing: ======================== dokuwiki-20140929-1.mga3.noarch.rpm dokuwiki-20140929-1.mga4.noarch.rpm Source RPMS: ======================== dokuwiki-20140929-1.mga3.src.rpm dokuwiki-20140929-1.mga4.src.rpm
Assignee: tarakbumba => qa-bugs
Thanks Atilla!
CC: (none) => tarakbumbaVersion: Cauldron => 4Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Working on that one, I'll write a procedure for tests
CC: (none) => ennael1
Just a note, reading the details of the issue, the vulnerability is already mitigated if you have our latest PHP updates installed, so if you wanted to try to reproduce the vulnerability, that won't work.
This update will also fix upstream issue 765. The changelog was updated to reflect this (see hotfixes for previous version): https://www.dokuwiki.org/changes CVE request for these issues: http://openwall.com/lists/oss-security/2014/10/13/3 Also note the hotfix to the current version for "Hotfix 2014-09-29a: fixes for login problems caused by certain PCRE versions and changes in the recent Chrome release" on the upstream changelog. So this will need updated again. For this hotfix, you only need to change dir_version to 20140929a and bump the release tag (i.e. do not change the version tag) so a freeze push request is not needed.
Whiteboard: MGA3TOO => MGA3TOO feedback
(In reply to David Walser from comment #6) > This update will also fix upstream issue 765. The changelog was updated to > reflect this (see hotfixes for previous version): > https://www.dokuwiki.org/changes > > CVE request for these issues: > http://openwall.com/lists/oss-security/2014/10/13/3 > > Also note the hotfix to the current version for "Hotfix 2014-09-29a: fixes > for login problems caused by certain PCRE versions and changes in the recent > Chrome release" on the upstream changelog. > > So this will need updated again. For this hotfix, you only need to change > dir_version to 20140929a and bump the release tag (i.e. do not change the > version tag) so a freeze push request is not needed. Done in Cauldron and submitted. Thanks for noticing this out.
I have uploaded a updated dokuwiki package for Mageia 3 and Mageia 4. Suggested advisory: ======================== Updated dokuwiki packages fix a security vulnerability: The issue is in how some software performs user authentication using LDAP servers in certain configurations. It affects a variety of applications, platforms and programming languages that make use of LDAP; PHP was one of them (up until recently). Since dokuwiki uses PHP and has the ability to authenticate users using PHP's LDAP extension, dokuwiki users may in turn be affected. Also a security fix for login problems caused by certain PCRE versions and changes in the recent Chrome release. This update provides fixed version of dokuwiki. References: https://www.dokuwiki.org/changes#release_2014-09-29_hrun http://www.freelists.org/post/dokuwiki/Fwd-Dokuwiki-maybe-security-issue-Null-byte-poisoning-in-LDAP-authentication ======================== Updated packages in core/updates_testing: ======================== dokuwiki-20140929-1.1.mga3.noarch.rpm dokuwiki-20140929-1.1.mga4.noarch.rpm Source RPMS: ======================== dokuwiki-20140929-1.1.mga3.src.rpm dokuwiki-20140929-1.1.mga4.src.rpm
(In reply to Atilla ÃNTAÅ from comment #8) > I have uploaded a updated dokuwiki package for Mageia 3 and Mageia 4. > > Suggested advisory: > ======================== > > Updated dokuwiki packages fix a security vulnerability: > > The issue is in how some software performs user authentication using LDAP > servers in certain configurations. It affects a variety of applications, > platforms and programming languages that make use of LDAP; PHP was one of > them > (up until recently). Since dokuwiki uses PHP and has the ability to > authenticate users using PHP's LDAP extension, dokuwiki users may in turn be > affected. > > Also a security fix for login problems caused by certain PCRE versions and > changes in the recent Chrome release. > > This update provides fixed version of dokuwiki. > > References: > > https://www.dokuwiki.org/changes#release_2014-09-29_hrun > http://www.freelists.org/post/dokuwiki/Fwd-Dokuwiki-maybe-security-issue- > Null-byte-poisoning-in-LDAP-authentication > > ======================== > > Updated packages in core/updates_testing: > ======================== > dokuwiki-20140929-1.1.mga3.noarch.rpm > dokuwiki-20140929-1.1.mga4.noarch.rpm > > Source RPMS: > ======================== > dokuwiki-20140929-1.1.mga3.src.rpm > dokuwiki-20140929-1.1.mga4.src.rpm I have accidently bumped rel for Mga3 package and submitted to core/updates_testing . Fixed this problem in svn and asked from sysadmins to remove dokuwiki-20140929-2.mga3 package. Please be patient before testing Mageia 3 until wrong package is deleted and i submit the dokuwiki-20140929-1.1.mga3 one.
Just a note on the advisory, it didn't appear to me that the PCRE and Chrome things in the hotfix were security issues, and the issue 765 security fix appears to be unrelated to those.
Testing on Mageia 3 & 4, 32 and 64 archs. Installing/Upgrading the package onto the Mageia 4 releases was problem free. The packages in update_testing for the Mageia 3 releases complained about a missing pear package, so downloaded the src rpm from the Mageia 4 updates_testing, built and installed that without problems. Steps taken for each: 1) Installed DokuWiki Mageia 3 & 4 32 and 64 releases. 2) Loaded the install.php page for a basic setup. 2) Created the needed start page and optional playground page. 3) Added users and ACL groups. 4) Enabled the ldap extension and set it to access a common external server. 5) Logged out/in with users of different access levels using both authldap and authplain to verify the ACLs were inforced without trouble. As soon as authldap extension is active, the user management extension goes away. If the icon is visible in the browser and you click on it, it issues a 'invalid auth mechanism', then goes away. It does query the ldap server without error, but might not like what is returned. The behaviour was the same before the update. I'll install the Mageia 3 packages when they become available to make sure they install OK.
CC: (none) => warrendiogenese
Which pear package was it? Either we'll need to import that one into Mageia 3, or revert the Mageia 3 update to the 2014-05-05b hotfix, which also fixes the security issues.
Created attachment 5503 [details] LDAP entries and DokuWiki user supplied settings I use some of these entries for Mediawiki as well. Dokuwiki recognises them for login and out. It's quite possible I've missed something here. Bad habit of mine.
CC: ennael1 => (none)
(In reply to David Walser from comment #12) > Which pear package was it? Either we'll need to import that one into Mageia > 3, or revert the Mageia 3 update to the 2014-05-05b hotfix, which also fixes > the security issues. The current update in updates testing complained about missing pear(Crypt/Hash.php)
(In reply to William Murphy from comment #14) > (In reply to David Walser from comment #12) > > Which pear package was it? Either we'll need to import that one into Mageia > > 3, or revert the Mageia 3 update to the 2014-05-05b hotfix, which also fixes > > the security issues. > > The current update in updates testing complained about missing > pear(Crypt/Hash.php) Thanks for testing. dokuwiki-20140929-1.1.mga3 should fix this issue.
can you please paste here the configuration for ldap auth?
Created attachment 5505 [details] LDAP configuration files These are my current openldap configuration files. slapd.access.conf is unmodified, so I didn't include that. /etc/openldap/ldapserver points to master.privatedomain where the LDAP server resides on this subnet. This LDAP server was originally set up just to test ldapauthenticaion for MediaWiki, so no frills. MediaWiki users can successfully authenticate or be created/deleted from any of the 8 testing instances (4 Mageia releases * 2 backends, mysql and postgresql, sqlite doesn't support ldap authentication). Before Docuwiki disables the user management extension, it queries the LDAP server. The LDAP server logs don't show any failures in the query, not even the infamous err 49 (invalid credentials). There was mention in the DokuWiki forums that authldap didn't support groups, but it was an old post and in this DokuWiki users successfully authenticate and group ACL restrictions are enforced. I tried removing the group setting and users could still login, but the user management extentions still disabled. I'm hoping that I missed something in the configuration, but it's possible that user management is expected to be done externally using authldap. With any luck, someone will enlighten me on this matter.
This is OpenLDAP server configuration. Can you also join dokuwiki configuration for ldap authentication ?
I'm sorry. Those are at the bottom of the first attachment (Attachment #5503 [details]). I could have done that better, like paste that short one first.
CVEs have been assigned: http://openwall.com/lists/oss-security/2014/10/16/9 CVE-2014-8761 and CVE-2014-8762 were assigned for the Issue 765 issues. CVE-2014-8763 and CVE-2014-8764 were assigned for the null-byte LDAP issues.
Mageia 3 package has finally been removed from updates_testing. Go ahead and re-push it if it is ready to go.
(In reply to David Walser from comment #21) > Mageia 3 package has finally been removed from updates_testing. Go ahead > and re-push it if it is ready to go. dokuwiki-20140929-1.1.mga3 has been submitted. Thanks for the notice :)
We still need a corrected and updated advisory, but the packages are available for testing. Removing the feedback marker now. dokuwiki-20140929-1.1.mga3 dokuwiki-20140929-1.1.mga4 Atilla, information in Comment 10 and Comment 21 will help with the advisory.
Whiteboard: MGA3TOO feedback => MGA3TOO
Suggested advisory: ======================== Updated dokuwiki packages fix security vulnerabilities: inc/template.php in DokuWiki before 2014-05-05a only checks for access to the root namespace, which allows remote attackers to access arbitrary images via a media file details ajax call (CVE-2014-8761). The ajax_mediadiff function in DokuWiki before 2014-05-05a allows remote attackers to access arbitrary images via a crafted namespace in the ns parameter (CVE-2014-8762). DokuWiki before 2014-05-05b, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a password starting with a null (\0) character and a valid user name, which triggers an unauthenticated bind (CVE-2014-8763). DokuWiki 2014-05-05a and earlier, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a user name and password starting with a null (\0) character, which triggers an anonymous bind (CVE-2014-8764). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8761 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8762 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8763 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8764 https://www.dokuwiki.org/changes#release_2014-09-29_hrun http://www.freelists.org/post/dokuwiki/Fwd-Dokuwiki-maybe-security-issue- Null-byte-poisoning-in-LDAP-authentication http://openwall.com/lists/oss-security/2014/10/16/9 ======================== Updated packages in core/updates_testing: ======================== dokuwiki-20140929-1.1.mga3.noarch.rpm dokuwiki-20140929-1.1.mga4.noarch.rpm Source RPMS: ======================== dokuwiki-20140929-1.1.mga3.src.rpm dokuwiki-20140929-1.1.mga4.src.rpm
Created attachment 5535 [details] Unrelated debugging information at bottom of page. Found one non-critical bug (image attached): When debugging is active, debugging information from the very first login session is displayed in the docInfo section at the bottom of the page. This information remains unchanged after logging out and in as another user, changing LDAP setting, disabling/enabling debugging, removing all coookies and deleting everything in the DokuWiki cache. Unlike the update notices, which does go away by removing messages.txt from the cache, the location of this remains elusive to me. This information can be misleading since it doesn't match up with the current settings or logged in user. From comment #11, the LDAP auth plugin only sets the capability for password changes in it's constructor and isn't set up for user management. That explains why the user management icon goes away. The proper packages now in the Mageia 3 testing repositories installed/updated without problems.
Finished testing on Mageia 3 & 4, 32 and 64 bit archs. The missing user management icon is expected when using LDAP authentication. Users can login using ACL groups with plain and LDAP authentication. The security bug had no PoC, so that was not tested. There seems to be a minor, non-critical bug LDAP debugging code (comment #25), but doesn't affect normal usage. ------------------------------------------ Update validated. Thanks. Suggested Advisory: See comment #24 above SRPMS: dokuwiki-20140929-1.1.mga3.src.rpm dokuwiki-20140929-1.1.mga4.src.rpm Could sysadmin please push from core/updates_testing to core/updates. Thank you! ------------------------------------------
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA3TOO => MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK
Advisory uploaded.
CC: (none) => remiWhiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK => MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK advisory
Debian has issued an advisory for this on October 29: https://www.debian.org/security/2014/dsa-3059
URL: (none) => http://lwn.net/Vulnerabilities/618623/
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0438.html
Status: NEW => RESOLVEDResolution: (none) => FIXED