A CVE has been assigned for an issued fixed upstream in 20140929b: http://openwall.com/lists/oss-security/2014/12/15/4 This was from a security hotfix: https://www.dokuwiki.org/changes#release_2014-09-29_hrun Mageia 4 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
Updated and submitted to Cauldron. Will prepare an advisory for Mga4 soon.
I have uploaded a updated dokuwiki package for Mageia 4. Suggested advisory: ======================== Updated dokuwiki package fix a security vulnerability: Our current dokuwiki-20140929-1.1.mga4 package uses dokuwiki-2014-09-29a source which allows swf (application/x-shockwave-flash) uploads by default. This may be used for Cross-site scripting (XSS) attack which enables attackers to inject client-side script into Web pages viewed by other users. (CVE-2014-9253). This update uses dokuwiki-2014-09-29b hotfix source which disables swf uploads by default and fixes the issue. References: http://openwall.com/lists/oss-security/2014/12/15/4 http://security.szurek.pl/dokuwiki-20140929a-xss.html https://www.dokuwiki.org/changes#release_2014-09-29_hrun http://en.wikipedia.org/wiki/Cross-site_scripting ======================== Updated packages in core/updates_testing: ======================== dokuwiki-20140929-1.2.mga4 Source RPMs: dokuwiki-20140929-1.2.mga4.src.rpm
Version: Cauldron => 4Assignee: tarakbumba => qa-bugsWhiteboard: MGA4TOO => (none)
Works fine on Mageia 4 i586.
Whiteboard: (none) => MGA4-32-OK
MGA4-64 on HP Probook 6555b Dokuwiki Installer opens, I did notgo any further
CC: (none) => herman.viaeneWhiteboard: MGA4-32-OK => MGA4-32-OK MGA4-64-OK
Validating. Advisory uploaded. Please push to 4 updates Thanks
Whiteboard: MGA4-32-OK MGA4-64-OK => advisory MGA4-32-OK MGA4-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0540.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
(In reply to Mageia Robot from comment #6) > An update for this issue has been pushed to Mageia Updates repository. > > http://advisories.mageia.org/MGASA-2014-0540.html The title of that page spelled the package name incorrectly.
URL: (none) => http://lwn.net/Vulnerabilities/627328/