Bug 14807 - dokuwiki new security issue CVE-2014-9253
Summary: dokuwiki new security issue CVE-2014-9253
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/627328/
Whiteboard: advisory MGA4-32-OK MGA4-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-12-15 19:58 CET by David Walser
Modified: 2014-12-22 20:27 CET (History)
2 users (show)

See Also:
Source RPM: dokuwiki-20140929-1.1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-12-15 19:58:43 CET
A CVE has been assigned for an issued fixed upstream in 20140929b:
http://openwall.com/lists/oss-security/2014/12/15/4

This was from a security hotfix:
https://www.dokuwiki.org/changes#release_2014-09-29_hrun

Mageia 4 is also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-12-15 19:58:52 CET

Whiteboard: (none) => MGA4TOO

Comment 1 Atilla ÖNTAŞ 2014-12-15 22:51:40 CET
Updated and submitted to Cauldron. Will prepare an advisory for Mga4 soon.
Comment 2 Atilla ÖNTAŞ 2014-12-15 23:13:22 CET
I have uploaded a updated dokuwiki package for Mageia 4.

Suggested advisory:
========================

Updated dokuwiki package fix a security vulnerability:

Our current dokuwiki-20140929-1.1.mga4 package uses dokuwiki-2014-09-29a source which allows swf (application/x-shockwave-flash) uploads by default. This may be used for Cross-site scripting (XSS) attack which enables attackers to inject client-side script into Web pages viewed by other users. (CVE-2014-9253).

This update uses dokuwiki-2014-09-29b hotfix source which disables swf uploads by default and fixes the issue.

References:
http://openwall.com/lists/oss-security/2014/12/15/4
http://security.szurek.pl/dokuwiki-20140929a-xss.html
https://www.dokuwiki.org/changes#release_2014-09-29_hrun
http://en.wikipedia.org/wiki/Cross-site_scripting
========================

Updated packages in core/updates_testing:
========================
dokuwiki-20140929-1.2.mga4

Source RPMs: 
dokuwiki-20140929-1.2.mga4.src.rpm

Version: Cauldron => 4
Assignee: tarakbumba => qa-bugs
Whiteboard: MGA4TOO => (none)

Comment 3 David Walser 2014-12-16 22:43:50 CET
Works fine on Mageia 4 i586.

Whiteboard: (none) => MGA4-32-OK

Comment 4 Herman Viaene 2014-12-18 15:44:48 CET
MGA4-64 on HP Probook 6555b
Dokuwiki Installer opens, I did notgo any further

CC: (none) => herman.viaene
Whiteboard: MGA4-32-OK => MGA4-32-OK MGA4-64-OK

Comment 5 claire robinson 2014-12-18 22:40:49 CET
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Whiteboard: MGA4-32-OK MGA4-64-OK => advisory MGA4-32-OK MGA4-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2014-12-19 16:17:32 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0540.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 7 David Walser 2014-12-22 20:27:33 CET
(In reply to Mageia Robot from comment #6)
> An update for this issue has been pushed to Mageia Updates repository.
> 
> http://advisories.mageia.org/MGASA-2014-0540.html

The title of that page spelled the package name incorrectly.

URL: (none) => http://lwn.net/Vulnerabilities/627328/


Note You need to log in before you can comment on or make changes to this bug.