A CVE has been assigned for an issue fixed upstream in 20140929c: http://openwall.com/lists/oss-security/2015/03/02/2 This was from a security hotfix: https://www.dokuwiki.org/changes#release_2014-09-29c_hrun Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
(In reply to David Walser from comment #0) > A CVE has been assigned for an issue fixed upstream in 20140929c: > http://openwall.com/lists/oss-security/2015/03/02/2 > > This was from a security hotfix: > https://www.dokuwiki.org/changes#release_2014-09-29c_hrun > > Reproducible: > > Steps to Reproduce: Committed in svn and asked for freeze push for Cauldron
Updated packages uploaded for Mageia 4 and Cauldron. Thanks Atilla! Advisory: ======================== Updated dokuwiki package fixes security vulnerability: DokuWiki before 20140929c has a security issue in the ACL plugins remote API component. The plugin failed to check for superuser permissions before executing ACL addition or deletion. This means everybody with permissions to call the XMLRPC API also had permissions to set up their own ACL rules and thus circumventing any existing rules (CVE-2015-2172). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2172 https://github.com/splitbrain/dokuwiki/issues/1056 https://www.dokuwiki.org/changes#release_2014-09-29c_hrun ======================== Updated packages in core/updates_testing: ======================== dokuwiki-20140929-1.3.mga4 from dokuwiki-20140929-1.3.mga4.src.rpm
CC: (none) => tarakbumbaVersion: Cauldron => 4Assignee: tarakbumba => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => (none)
Severity: normal => major
Tested on mga4 64 & 32 bit virtualbox installs. Attempted login with null byte insertion according to notes provided by http://www.freelists.org/post/dokuwiki/Fwd-Dokuwiki-maybe-security-issue-Null-byte-poisoning-in-LDAP-authentication with no success. Connection attempts to the active directory provided (@54.68.122.145) returned invalid credentials using both authad and authldap, so tried inserting a null byte to the local ldap server. Confirmed proxpy was replacing 'NULLBYTE' with url-encoded %00 using the user name field and either routing through the proxy or connecting directly. Dokuwiki didn't query the ldap server for the username, password and login failed when attempting to insert a null byte at the beginning of the password field. Same when inserting the null byte to both the user name and passwords fields. After updating, dokuwiki continues to run without problems. Also installed new, enabling and configured the authldap plugin worked without incident. Everything seems to be working Ok. ======================== Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks much.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs, warrendiogeneseWhiteboard: (none) => MGA4-32-OK MGA4-64-OK
Thanks William. Advisory uploaded.
Whiteboard: MGA4-32-OK MGA4-64-OK => advisory MGA4-32-OK MGA4-64-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0093.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/635766/