Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 127971

Summary: www-apps/mediawiki: upgrade to 1.4.15 due to vulnerability (CVE-2006-1498)
Product: Gentoo Security Reporter: Aurélien Requiem <bugs>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: trapni
Priority: High    
Version: unspecified   
Hardware: All   
OS: Other   
Whiteboard: B4 [glsa] DerCorny
Package list:
Runtime testing required: ---

Description Aurélien Requiem 2006-03-29 04:48:42 UTC
Hello

mediawiki shoud be upgraded in the portage with the followings versions
- 1.5.8
- 1.4.15
- 1.3.18

As described on the homepage (http://www.mediawiki.org/wiki/MediaWiki) there some html/xss injections.

Older versions may be removed from the portage ?
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-29 06:17:59 UTC
hi web-apps, do you want to provide an ebuild for 1.4.15 or should we go for a stable marking of 1.5.8?
Comment 2 Christian Parpart (RETIRED) gentoo-dev 2006-03-29 09:17:12 UTC
I'd vote for both.

Although, I already bumped 1.5.8 as it came out, but I must have missed the 1.4.15 release.

1.4.15 is in the tree now as well. thanks for the notice :)

(I do not close this bug as it's kinda security-assigned, so please do so if you feel fine with all)
Comment 3 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-29 09:33:56 UTC
arches, please test and mark 1.4.15 or 1.5.8 stable, thank you.
Comment 4 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-29 10:32:49 UTC
trapni, please dont bump security bugs directly to stable. Would you or somebody from the arches team please remove the stable keywords for any arch this wasnt tested on? Thanks.
Comment 5 Christian Parpart (RETIRED) gentoo-dev 2006-03-29 11:00:58 UTC
um, yeah, okay - as it was a security (bugfix only) release, and 1.4.14 were already marked stable I didn't mind in unstable-marking them all.

For amd64 I could speak that it runs just fine for the 1.5.x line as I'm using it in production since it's out (w/o any problems so far).
Comment 6 Mark Loeser (RETIRED) gentoo-dev 2006-03-29 18:07:20 UTC
Well, it looks like 1.4.15 is already stable on x86.

trapni: as stated, in the future please don't bump stuff straight to stable.
Comment 7 Jason Wever (RETIRED) gentoo-dev 2006-03-29 20:01:44 UTC
Removing SPARC as 1.4.15 works and was already keyworded stable
Comment 8 Simon Stelling (RETIRED) gentoo-dev 2006-03-30 01:54:09 UTC
trapni is in the amd64 team, so that works with me
Comment 9 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-30 03:05:41 UTC
CVE-2006-1498
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2006-04-01 02:56:35 UTC
Bad Product/component
Comment 11 nixnut (RETIRED) gentoo-dev 2006-04-01 07:21:49 UTC
1.4.15 tested and found ok on ppc, so the ppc keyword can stay. 
Comment 12 Stefan Cornelius (RETIRED) gentoo-dev 2006-04-01 07:32:36 UTC
ready for glsa decision. weak yes here, mainly because we issued GLSAs for XSS in mediawiki in the past.
Comment 13 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-04-01 07:43:44 UTC
(In reply to comment #12)
> ready for glsa decision. weak yes here, mainly because we issued GLSAs for XSS
> in mediawiki in the past.
> 

Last one was on 2005-07-20, AFAIK.

Vote 0.5 yes.
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-04-01 10:48:56 UTC
Tend to vote YES on this one.
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2006-04-02 00:58:07 UTC
XSS and injection in publically-writeable websites (forums, wikis...) is evil. So I vote yes.
Comment 16 Stefan Cornelius (RETIRED) gentoo-dev 2006-04-04 05:09:38 UTC
GLSA 200604-01

Thanks everybody.