14807 – dokuwiki new security issue CVE-2014-9253

Bug 14807 - dokuwiki new security issue CVE-2014-9253

Summary: dokuwiki new security issue CVE-2014-9253

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/627328/
Whiteboard:	advisory MGA4-32-OK MGA4-64-OK
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2014-12-15 19:58 CET by David Walser
Modified:	2014-12-22 20:27 CET (History)
CC List:	2 users (show)

See Also:
Source RPM:	dokuwiki-20140929-1.1.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2014-12-15 19:58:43 CET

A CVE has been assigned for an issued fixed upstream in 20140929b:
http://openwall.com/lists/oss-security/2014/12/15/4

This was from a security hotfix:
https://www.dokuwiki.org/changes#release_2014-09-29_hrun

Mageia 4 is also affected.

Reproducible: 

Steps to Reproduce:

David Walser 2014-12-15 19:58:52 CET

Whiteboard: (none) => MGA4TOO

Comment 1 Atilla ÖNTAŞ 2014-12-15 22:51:40 CET

Updated and submitted to Cauldron. Will prepare an advisory for Mga4 soon.

Comment 2 Atilla ÖNTAŞ 2014-12-15 23:13:22 CET

I have uploaded a updated dokuwiki package for Mageia 4.

Suggested advisory:
========================

Updated dokuwiki package fix a security vulnerability:

Our current dokuwiki-20140929-1.1.mga4 package uses dokuwiki-2014-09-29a source which allows swf (application/x-shockwave-flash) uploads by default. This may be used for Cross-site scripting (XSS) attack which enables attackers to inject client-side script into Web pages viewed by other users. (CVE-2014-9253).

This update uses dokuwiki-2014-09-29b hotfix source which disables swf uploads by default and fixes the issue.

References:
http://openwall.com/lists/oss-security/2014/12/15/4
http://security.szurek.pl/dokuwiki-20140929a-xss.html
https://www.dokuwiki.org/changes#release_2014-09-29_hrun
http://en.wikipedia.org/wiki/Cross-site_scripting
========================

Updated packages in core/updates_testing:
========================
dokuwiki-20140929-1.2.mga4

Source RPMs: 
dokuwiki-20140929-1.2.mga4.src.rpm

Version: Cauldron => 4
Assignee: tarakbumba => qa-bugs
Whiteboard: MGA4TOO => (none)

Comment 3 David Walser 2014-12-16 22:43:50 CET

Works fine on Mageia 4 i586.

Whiteboard: (none) => MGA4-32-OK

Comment 4 Herman Viaene 2014-12-18 15:44:48 CET

MGA4-64 on HP Probook 6555b
Dokuwiki Installer opens, I did notgo any further

CC: (none) => herman.viaene
Whiteboard: MGA4-32-OK => MGA4-32-OK MGA4-64-OK

Comment 5 claire robinson 2014-12-18 22:40:49 CET

Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Whiteboard: MGA4-32-OK MGA4-64-OK => advisory MGA4-32-OK MGA4-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2014-12-19 16:17:32 CET

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0540.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 7 David Walser 2014-12-22 20:27:33 CET

(In reply to Mageia Robot from comment #6)
> An update for this issue has been pushed to Mageia Updates repository.
> 
> http://advisories.mageia.org/MGASA-2014-0540.html

The title of that page spelled the package name incorrectly.

URL: (none) => http://lwn.net/Vulnerabilities/627328/

Note You need to log in before you can comment on or make changes to this bug.