Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 279189 - <www-apps/mediawiki-1.14.1 XSS (CVE requested)
Summary: <www-apps/mediawiki-1.14.1 XSS (CVE requested)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
URL: http://lists.wikimedia.org/pipermail/...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-07-26 16:12 UTC by Alex Legler (RETIRED)
Modified: 2009-08-11 23:36 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-26 16:12:42 UTC
This is a security and bugfix release of MediaWiki 1.15.1 and 1.14.1.

A cross-site scripting (XSS) vulnerability was discovered in
[[Special:Block]]. Only versions 1.14.0, 1.15.0 and release candidates
for those releases are affected.

Cross-site scripting vulnerabilities allow an unprivileged attacker to
gain administrator access to the wiki by tricking an administrator
into viewing a page which emits a malicious script. The malicious
script may also be able to gain privileged access to other
applications on the same domain.

Other changes in these releases:

1.15.1:
* Fixed fatal errors for unusual file repository configurations, such
as ForeignAPIRepo.
* Fixed the "change password" link on Special:Preferences to have the
correct returnto parameter.

1.14.1:
* (bug 17737) Fixed russian URLs for Special:BookSources
* (bug 17713) Using links with only an anchor no longer add an dummy
entry in the pagelinks table
* (bug 17897) Fixed string offset error in <pre> tags
* (bug 17832) Fixed action=delete returning 'unknownerror' instead of
'permissiondenied' when the user is blocked
* Fixed performance regression when accessing deleted (archived) files
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-26 16:14:04 UTC
Only the 1.14.0 in testing is affected.
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-01 13:17:50 UTC
1.14 was stable on ppc, so...

Arches, please test and mark stable:
=www-apps/mediawiki-1.14.1
Target keywords : "ppc"
Comment 3 nixnut (RETIRED) gentoo-dev 2009-08-09 13:56:05 UTC
ppc stable
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-08-09 15:22:10 UTC
glsa: no
Comment 5 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-11 23:36:24 UTC
no, too. Closing.