Summary: | www-apps/mediawiki <1.13.3, <1.12.2 and <1.6.11 Multiple XSS and information disclosure (CVE-2008-{5249,5250,5252,5687}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Bruno Buss <bruno.buss> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | mail, web-apps |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://lists.wikimedia.org/pipermail/mediawiki-announce/2008-December/000080.html | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Bruno Buss
2008-12-15 16:16:30 UTC
Ops, changing from ~4 to B4 cause 1.11.2 is also vulnerable. Version bump please. Version 1.12.2 had a packaging problem (see http://marc.info/?l=mediawiki-l&m=122956897708135&w=2) - it's 1.12.3 now. Name: CVE-2008-5687 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5687 Published: 2008-12-19 Severity: Medium Description: MediaWiki 1.11 through 1.13.3 does not properly protect against the download of backups of deleted images, which might allow remote attackers to obtain sensitive information via requests for files in images/deleted/. 1.12.3 and 1.13.3 are in the tree and 1.11.x has no fixed release as I see. So we need to stabilize something. I'd suggested to stabilize 1.12.3 has QA issue: * QA Notice: file does not exist: * doins: skins/htmldump/* does not exist which I fixed for 1.13 and actually I don't want to spent more time to incorporate fix into 1.12. So, please, stabilize 1.13.3. (In reply to comment #4) > 1.12.3 and 1.13.3 are in the tree and 1.11.x has no fixed release as I see. So > we need to stabilize something. I'd suggested to stabilize 1.12.3 has QA issue: > > * QA Notice: file does not exist: > * doins: skins/htmldump/* does not exist > > which I fixed for 1.13 and actually I don't want to spent more time to > incorporate fix into 1.12. So, please, stabilize 1.13.3. > MediaWiki don't support 1.11.x anymore. I agree with 1.13.3 stabilization and after that, may we remove 1.11.2? Arches, please test and mark stable: =www-apps/mediawiki-1.13.3 Target keywords : "amd64 ppc sparc x86" sparc stable ppc stable x86 stable amd64 stable Ready for vote, I vote NO. No, too. Closing. |