Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 316701

Summary: www-apps/mediawiki-1.15.3 "login CSRF" (CVE-2010-1150)
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: jesse, trapni, web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.0beta2.patch.gz
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 366685    
Bug Blocks:    

Description Alex Legler (RETIRED) archtester gentoo-dev Security 2010-04-22 17:34:12 UTC 
CVE-2010-1150 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1150):
  MediaWiki before 1.15.3, and 1.6.x before 1.16.0beta2, does not
  properly handle a correctly authenticated but unintended login
  attempt, which makes it easier for remote authenticated users to
  conduct phishing attacks by arranging for a victim to login to the
  attacker's account and then execute a crafted user script, related to
  a "login CSRF" issue.
Comment 1 Tim Harder gentoo-dev 2010-10-11 01:07:05 UTC 
I added mediawiki-1.15.5 to the tree a couple days ago which has fixes for this issue.
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-09-27 16:50:10 UTC 
A fixed package was stabilized via bug 366685. GLSA Vote: no.
Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev 2011-10-08 21:19:21 UTC 
no too, and closing.