Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 161091 - www-apps/mediawiki-1.6.8 mediawiki-1.7.1 mediawiki-1.8.2 An XSS injection vulnerability
Summary: www-apps/mediawiki-1.6.8 mediawiki-1.7.1 mediawiki-1.8.2 An XSS injection vul...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: C4 [noglsa]
Keywords:
: 161167 162741 (view as bug list)
Depends on:
Blocks:
 
Reported: 2007-01-09 10:25 UTC by Philippe Trottier (RETIRED)
Modified: 2007-02-10 19:44 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Philippe Trottier (RETIRED) gentoo-dev 2007-01-09 10:25:35 UTC 
1.8.2 marked unstable
1.6.8 and 1.7.1 are stable versions
1.5.8 and 1.4.15 have been removed from the tree but that feature was NOT present and should not be affected (to be verified / audited)

===============================================

Corrected versions are ready to go and are available less than 5 seconds after committing this bug.

===============================================

An XSS injection vulnerability was located in the AJAX support module,
affecting MediaWiki 1.6.x and up when the optional setting $wgUseAjax
is enabled.

There is no danger in the default configuration, with $wgUseAjax off.

If you are using an extension based on the optional Ajax module,
either disable it or upgrade to a version containing the fix:

* 1.9: fixed in 1.9.0rc2
* 1.8: fixed in 1.8.3
* 1.7: fixed in 1.7.2
* 1.6: fixed in 1.6.9

Full release notes:
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_9_0RC2/phase3/RELEASE-NOTES
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_8_3/phase3/RELEASE-NOTES
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_7_2/phase3/RELEASE-NOTES
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_6_9/phase3/RELEASE-NOTES

Download:
http://sourceforge.net/project/showfiles.php?group_id=34373

MD5 checksums:
747d79037d3b90494d7e8b956a6bb9a0  mediawiki-1.9.0rc2.tar.gz
9ef825abfcf0888b22571bbb097480f0  mediawiki-1.8.3.tar.gz
ef33231cb1689dc813f4b08e955f4b18  mediawiki-1.7.2.tar.gz
1ce42061b5f7ea6e4101826b969d2ee4  mediawiki-1.6.9.tar.gz

SHA-1 checksums:
1451e8a8a10f41e517c12ede266dd1a5a743d8fe mediawiki-1.9.0rc2.tar.gz
fa4daa4376b80f61be5925e6172daa76938d9bad mediawiki-1.8.3.tar.gz
f63468ce745bbda6d42f66fc64c713b4fd000ef2 mediawiki-1.7.2.tar.gz
a00bcc6b306a92234da0c2cd3d564869a15045a0 mediawiki-1.6.9.tar.gz
Comment 1 Philippe Trottier (RETIRED) gentoo-dev 2007-01-09 10:27:58 UTC 
I know of at least 2 users having this feature turned on.
Comment 2 Stefan Cornelius (RETIRED) gentoo-dev 2007-01-09 20:04:26 UTC 
thx, this is already public -> removing restriction.

rating as C4, but i'm not sure about this rating. reopen bug or comment here if you disagree. C4 does not require a GLSA and since all arches seem stable, we are done here.

Thanks
Comment 3 Stefan Cornelius (RETIRED) gentoo-dev 2007-01-09 20:05:09 UTC 
*** Bug 161167 has been marked as a duplicate of this bug. ***
Comment 4 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-10 19:44:24 UTC 
*** Bug 162741 has been marked as a duplicate of this bug. ***