Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 279189

Summary: <www-apps/mediawiki-1.14.1 XSS (CVE requested)
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: trapni, web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://lists.wikimedia.org/pipermail/mediawiki-announce/2009-July/000087.html
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-26 16:12:42 UTC 
This is a security and bugfix release of MediaWiki 1.15.1 and 1.14.1.

A cross-site scripting (XSS) vulnerability was discovered in
[[Special:Block]]. Only versions 1.14.0, 1.15.0 and release candidates
for those releases are affected.

Cross-site scripting vulnerabilities allow an unprivileged attacker to
gain administrator access to the wiki by tricking an administrator
into viewing a page which emits a malicious script. The malicious
script may also be able to gain privileged access to other
applications on the same domain.

Other changes in these releases:

1.15.1:
* Fixed fatal errors for unusual file repository configurations, such
as ForeignAPIRepo.
* Fixed the "change password" link on Special:Preferences to have the
correct returnto parameter.

1.14.1:
* (bug 17737) Fixed russian URLs for Special:BookSources
* (bug 17713) Using links with only an anchor no longer add an dummy
entry in the pagelinks table
* (bug 17897) Fixed string offset error in <pre> tags
* (bug 17832) Fixed action=delete returning 'unknownerror' instead of
'permissiondenied' when the user is blocked
* Fixed performance regression when accessing deleted (archived) files
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-26 16:14:04 UTC 
Only the 1.14.0 in testing is affected.
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-01 13:17:50 UTC 
1.14 was stable on ppc, so...

Arches, please test and mark stable:
=www-apps/mediawiki-1.14.1
Target keywords : "ppc"
Comment 3 nixnut (RETIRED) gentoo-dev 2009-08-09 13:56:05 UTC 
ppc stable
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-08-09 15:22:10 UTC 
glsa: no
Comment 5 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-11 23:36:24 UTC 
no, too. Closing.