Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 135883 - www-apps/mediawiki-1.6.x (x<7) : XSS vuln
Summary: www-apps/mediawiki-1.6.x (x<7) : XSS vuln
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/20458/
Whiteboard: ~4 [noglsa] Falco
Keywords:
Depends on:
Blocks:
 
Reported: 2006-06-07 03:12 UTC by Raphael Marichez (Falco) (RETIRED)
Modified: 2006-06-07 08:57 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-07 03:12:03 UTC 
crap, another XSS issue in the latest mediawiki. (~arched)

Please update to the 1.6.7 version, thanks in advance.

1.4 branch (stable) seems unaffected, but i can't confirm since the vuln is "unspecified" from Secunia SA 20458
Comment 1 Philippe Trottier (RETIRED) gentoo-dev 2006-06-07 03:45:57 UTC 
If we quote their own text,

"The vulnerability has been reported in versions 1.6.0 through 1.6.6."

Anytest we could do to verify this ?

I will create the new ebuild within the next 8 hours.
Comment 2 Philippe Trottier (RETIRED) gentoo-dev 2006-06-07 04:05:44 UTC 
Interesting enough, it works again with a simple version bump... problem is I cannot find an MD5 from their site to confirm it is the right one I downloaded. I don't know if this something we should complain about? 

Anyway 1.6.7 is in the world of Gentoo. I am quite sure it is the right one.
Comment 3 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-07 04:14:44 UTC 
thanks again for the fastness, it's really great :) . I let your team check if everything is right.
Comment 4 Conrad Kostecki gentoo-dev 2006-06-07 08:07:16 UTC 
>>> Emerging (1 of 1) www-apps/mediawiki-1.6.7 to /
>>> checking ebuild checksums ;-)
>>> checking auxfile checksums ;-)
>>> checking miscfile checksums ;-)
>>> checking mediawiki-1.6.7.tar.gz
!!! Digest verification failed:
!!! /usr/portage/distfiles/mediawiki-1.6.7.tar.gz
!!! Reason: Filesize does not match recorded size
!!! Got: 2728980
!!! Expected: 12208
Comment 5 Philippe Trottier (RETIRED) gentoo-dev 2006-06-07 08:57:22 UTC 
For some reason, I installed the right tar ball, but my overlay got the webpage linking to it.  Commited and it should be fixed with the right file.